From jgentil at sebistar.net Tue Feb 1 01:51:49 2005
From: jgentil at sebistar.net (Jon-Pierre Gentil)
Date: Tue Feb 1 01:48:12 2005
Subject: Information about GNUPG
In-Reply-To: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com>
References: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com>
Message-ID: <200501311851.54347.jgentil@sebistar.net>
On Sunday 30 January 2005 08:19 pm, Ueda, Edson (GE Commercial Finance,
NonGE) wrote:
> We would like to know more details about GNUPG application.
> a) Wich Company should us contact in Japan (Osaka or Tokyo)
There is no company, it is an open-source project.
> b) We would like to know more details about installation process
http://www.gnupg.org/(en)/documentation/index.html is a good start..
--
_________________________________________________________
Jon-Pierre Gentil PGP: 0xA21BC30E
jabber: jgentil@sebistar.net web: www.sebistar.net
"If you think education is expensive, try ignorance."
_________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : /pipermail/attachments/20050131/be2114e8/attachment-0001.pgp
From og at pre-secure.de Tue Feb 1 08:02:41 2005
From: og at pre-secure.de (Olaf Gellert)
Date: Tue Feb 1 08:01:23 2005
Subject: gpgsm: building of certificate chains
Message-ID: <41FF2991.5030700@pre-secure.de>
Hi list,
I was just experimenting with cross-certificates and
came across a little strange behaviour of gpgsm. Obviously
the building of certificate chains (eg from enduser to
subCA to rootCA) is influenced by the order of the
certificates in the keyring! In the case of cross-certificates
this can lead to different validation results depending
on the order of imported keys...
Example: I have the following certificates:
ranum@ranum:~> gpgsm --list-keys | grep fingerprint
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C
fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE
fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE
fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1
fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC
Now I try to verify a signed email:
ranum@ranum:~> gpgsm --verify testetext.signed
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Korrekte Signatur von "/CN=Test User B3/O=Test Organization B/C=DE/EMail=user@testorg-b.org" alias "user@testorg-b.org"
Ok, now I change the order of the certificates by removing the
certificate 99:9B:C4:... and reimporting it. Result:
ranum@ranum:~> gpgsm --verify testtext.signedlist-keys | grep fingerprint
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C
fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE
fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1
fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC
fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE
And now I try to verify the signed text again:
ranum@ranum:~> gpgsm --verify testtext.signed
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1
gpgsm: Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert
gpgsm: Fingerprint=52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC
gpgsm: DBG: BEGIN Certificate `issuer':
gpgsm: DBG: serial: 00
gpgsm: DBG: notBefore: 2005-01-12 12:37:40
gpgsm: DBG: notAfter: 2007-01-12 12:37:40
gpgsm: DBG: issuer: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,
CN=Test Root CA B1,O=Test Organization B,C=DE
gpgsm: DBG: subject: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,
CN=Test Root CA B1,O=Test Organization B,C=DE
gpgsm: DBG: hash algo: 1.2.840.113549.1.1.5
gpgsm: DBG: SHA1 Fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:
5B:3A:97:DC
gpgsm: DBG: END Certificate
gpgsm: after checking the fingerprint, you may want to add it manually to the li
st of trusted certificates.
gpgsm: invalid certification chain: Nicht vertrauensw?rdig
I would say, the certificate chains should be build using
an exhaustive search of the existing certificates, gpgsm
seems to try only the first match.
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
From twoaday at freakmail.de Tue Feb 1 08:05:35 2005
From: twoaday at freakmail.de (Timo Schulz)
Date: Tue Feb 1 08:48:05 2005
Subject: GnuGP 1.4a & G DATA Outlook Plugin
Message-ID: <20050201070535.GA814@daredevil.joesixpack.net>
On Sat Jan 29 2005; 01:47, Paul Rarey wrote:
> When I install the G-DATA Outlook plugin .91 (just the plugin option - not
> the full install) the G-DATA plugin fails. Won't sign and/or encrypt (posts
> blank body), Nor does the Key Manager work.
Maybe you can try again with 0.94. This version contains a lot of bug fixes.
You can get it here: http://www.winpt.org
FYI, winpt.org is no longer redirected to SF.net
Timo
From wk at gnupg.org Tue Feb 1 09:51:14 2005
From: wk at gnupg.org (Werner Koch)
Date: Tue Feb 1 12:31:04 2005
Subject: Information about GNUPG
In-Reply-To: <200501311851.54347.jgentil@sebistar.net> (Jon-Pierre Gentil's
message of "Mon, 31 Jan 2005 18:51:49 -0600")
References: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com>
<200501311851.54347.jgentil@sebistar.net>
Message-ID: <878y68vf25.fsf@wheatstone.g10code.de>
On Mon, 31 Jan 2005 18:51:49 -0600, Jon-Pierre Gentil said:
> There is no company, it is an open-source project.
Well there are quite some companies providing support for Free
Software (i.e. what you call open source). See for example
http://www.gnu.org/prep/service.html . Don't know about contacts in
Japan, though. Googling for "gnupg", "keyserver", "openpgp", "Japan"
etc. will likely give you a list of potential service providers.
Salam-Shalom,
Werner
--
Werner Koch
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org
From yraffah at gmail.com Tue Feb 1 09:46:26 2005
From: yraffah at gmail.com (Yousef Raffah)
Date: Tue Feb 1 14:15:41 2005
Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem
In-Reply-To: <41FE7D7E.1070209@bpuk.net>
References:
<41FD1C54.8050100@bpuk.net>
<41FE7D7E.1070209@bpuk.net>
Message-ID:
On Mon, 31 Jan 2005 18:48:30 +0000, Barry Porter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 31/01/2005 08:57, Yousef Raffah wrote:
>
> Hi Yousef,
>
> > Thanks Barry,
> >
> > I tried the update but still didn't fix the problem, however, I
> > noticed now the attachments are signed with *.png.pgp extension
> > instead of *.png.gpg. I guess this means the patch is working fine for
> > me but it didn't fix the problem on binary attachments yet!
> >
> > What do you think?
>
> What format are you trying to write your emails in in Outlook? If you
> are using anything other than plain text that will cause problems too.
>
That's an interesting point, although I was using rich text, I changed
it to plain text, but still no luck :(. Binaries are being corrupted.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1-cvs (Windows XP Pro SP2)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB/n183wKVPLs2unURAr8ZAKCdFctQ6vq7hXV5kIj1RuM/n+Q2rQCfafXV
> SsYiZA2cT2JU6CUK7qlA8PI=
> =Kwxa
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
=========
Sincerely,
Yousef Raffah
Join FSF as an Associate Member at:
Get
Firefox!
From pschott at drivefinancial.com Tue Feb 1 18:40:50 2005
From: pschott at drivefinancial.com (Peter Schott)
Date: Tue Feb 1 19:57:06 2005
Subject: Issue with WinPT and GPG versions
Message-ID: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com>
Tried to run the latest version of WinPT on a new workstation. For some
reason, it can't determine the correct version of GPG with GPG 1.40a for
Windows. The latest version tells me I need to run something higher.
Going backwards in the WinPT.exe and dll, it keeps giving me version
problems even to the point of saying GPG 1.21 or higher.
Has anyone else encountered this? What is the problem/fix if you have?
Thanks.
Peter A. Schott
drive financial services
Database Administrator
p: 214.237.3567
c: 214.734.1792
f: 214.237.3791
email: pschott@drivefinancial.com
___________________________________________________________________________________
This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C.
Sections 2510-2521. The information contained in this e-mail is confidential
and intended only for use of the individual or entity named above. If the reader
of this message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this message in error or there are any problems
please notify the originator immediately.
The unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. This mail and any attachments have been scanned for viruses
prior to leaving the Drive Financial Services network. Drive Financial Services
will not be liable for direct, special, indirect or consequential damages arising
from alteration of the contents of this message by a third party or as a result of
any virus being passed on.
___________________________________________________________________________________
From twoaday at freakmail.de Tue Feb 1 22:05:46 2005
From: twoaday at freakmail.de (Timo Schulz)
Date: Tue Feb 1 22:11:18 2005
Subject: Issue with WinPT and GPG versions
In-Reply-To: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com>
References: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com>
Message-ID: <20050201210546.GA2240@daredevil.joesixpack.net>
On Tue Feb 01 2005; 11:40, Peter Schott wrote:
> Tried to run the latest version of WinPT on a new workstation. For some
> reason, it can't determine the correct version of GPG with GPG 1.40a for
This sounds like a problem with 0.9.14. But this is not the latest
version. I know that 0.9.50/0.9.90-cvs will work with GPG >= 1.4.x
You can get 0.9.50 at http://www.winpt.org
Timo
From wk at gnupg.org Tue Feb 1 22:46:18 2005
From: wk at gnupg.org (Werner Koch)
Date: Tue Feb 1 22:45:41 2005
Subject: Issue with WinPT and GPG versions
In-Reply-To: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com>
(Peter Schott's message of "Tue, 1 Feb 2005 11:40:50 -0600")
References: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com>
Message-ID: <87r7k0nec5.fsf@wheatstone.g10code.de>
On Tue, 1 Feb 2005 11:40:50 -0600, Peter Schott said:
> Tried to run the latest version of WinPT on a new workstation. For some
What do you think is the latest version? Tried 0.9.50 at
www.winpt.org ?
Shalom-Salam,
Werner
From sk at intertivity.com Wed Feb 2 02:41:36 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 2 02:37:45 2005
Subject: --yes
Message-ID: <002301c508c8$55b7fdd0$f300a8c0@HOME>
Hi everyone,
Fyi:
I have WinXp SP2 and gnupg 1.4.0a (compileted myself using MinGW).
Why is --yes not always working. I used following call:
gpg --dry-run --yes --default-key XYZ --passphrase-fd 0 --command-fd 0
--status-fd 2 --sign-key ABC
It still asks me "Really sign all user Ids?" or "Really sign?".
Is it a security reason or my own stupidy :) ?
Have fun
esskar
From wk at gnupg.org Wed Feb 2 09:47:47 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 2 09:45:41 2005
Subject: --yes
In-Reply-To: <002301c508c8$55b7fdd0$f300a8c0@HOME> (Sascha Kiefer's message
of "Wed, 2 Feb 2005 02:41:36 +0100")
References: <002301c508c8$55b7fdd0$f300a8c0@HOME>
Message-ID: <87fz0fnya4.fsf@wheatstone.g10code.de>
On Wed, 2 Feb 2005 02:41:36 +0100, Kiefer, Sascha said:
> Why is --yes not always working. I used following call:
--yes Assume "yes" on most questions.
^^^^
Shalom-Salam,
Werner
From list at rachinsky.de Wed Feb 2 09:23:47 2005
From: list at rachinsky.de (Nicolas Rachinsky)
Date: Wed Feb 2 10:18:03 2005
Subject: difference between undef and unknown
Message-ID: <20050202082347.GA29393@pc5.i.0x5.de>
Hallo,
can somebody tell me, what the difference between validity 'undef'
and validity 'unknown' is?
Like here:
pub 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11]
uid [ unknown] Werner Koch
uid [ undef ] Werner Koch
uid [ undef ] Werner Koch
Thanks,
Nicolas
From sk at intertivity.com Wed Feb 2 13:19:25 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Wed Feb 2 13:15:44 2005
Subject: --list-sigs, --check-sigs and --list-keys
Message-ID: <4200C54D.4040305@intertivity.com>
Hi.
1. is it true that --check-sigs and --list-sigs have pretty much the
same output: --check-sigs just adds the signature information?
I used the following syntax:
--fixed-list-mode --with-colons --list-keys --with-fingerprint
--with-fingerprint
--fixed-list-mode --with-colons --check-sigs --with-fingerprint
--with-fingerprint
2. is there a significant performance difference between --check-sigs
and --list-sigs?
Thanks for help.
esskar
From dshaw at jabberwocky.com Wed Feb 2 16:40:55 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 2 16:37:33 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <4200C54D.4040305@intertivity.com>
References: <4200C54D.4040305@intertivity.com>
Message-ID: <20050202154055.GA9429@jabberwocky.com>
On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote:
> Hi.
>
> 1. is it true that --check-sigs and --list-sigs have pretty much the
> same output: --check-sigs just adds the signature information?
--list-sigs shows the sigs. --check-sigs goes one step further and
checks the sigs for validity.
> 2. is there a significant performance difference between --check-sigs
> and --list-sigs?
In general --check-sigs is going to be slower as there is more work to
do. Whether it is significant or not depends on a number of factors.
In most cases with 1.4.0, it's not even noticable. In some cases
(with Elgamal signatures and older GnuPG), it's 20-30 minutes slower.
David
From dshaw at jabberwocky.com Wed Feb 2 15:11:53 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 2 16:51:53 2005
Subject: difference between undef and unknown
In-Reply-To: <20050202082347.GA29393@pc5.i.0x5.de>
References: <20050202082347.GA29393@pc5.i.0x5.de>
Message-ID: <20050202141153.GB29147@jabberwocky.com>
On Wed, Feb 02, 2005 at 09:23:47AM +0100, Nicolas Rachinsky wrote:
> Hallo,
>
> can somebody tell me, what the difference between validity 'undef'
> and validity 'unknown' is?
>
> Like here:
> pub 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11]
> uid [ unknown] Werner Koch
> uid [ undef ] Werner Koch
> uid [ undef ] Werner Koch
Unknown means completely unknown. The trust calculations have not yet
reached that key, the user ID is not signed by any key you have, etc.
Undefined means not enough information. For example, if you have
marginals-needed set to 3 and only have 2 marginal signatures.
In practice, they are the same. Either way, the user ID isn't valid
to encrypt to without a warning.
David
From wk at gnupg.org Wed Feb 2 18:13:11 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 2 18:10:42 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <20050202154055.GA9429@jabberwocky.com> (David Shaw's message
of "Wed, 2 Feb 2005 10:40:55 -0500")
References: <4200C54D.4040305@intertivity.com>
<20050202154055.GA9429@jabberwocky.com>
Message-ID: <87brb2khqw.fsf@wheatstone.g10code.de>
On Wed, 2 Feb 2005 10:40:55 -0500, David Shaw said:
> In most cases with 1.4.0, it's not even noticable. In some cases
Unless you are using a P100 box which was my fastest development box
at the time I impleemnted these options ;-)
Werner
From jharris at widomaker.com Wed Feb 2 18:56:50 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 2 18:53:08 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <20050202154055.GA9429@jabberwocky.com>
References: <4200C54D.4040305@intertivity.com>
<20050202154055.GA9429@jabberwocky.com>
Message-ID: <20050202175649.GA3466@wilma.widomaker.com>
On Wed, Feb 02, 2005 at 10:40:55AM -0500, David Shaw wrote:
> On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote:
> > 2. is there a significant performance difference between --check-sigs
> > and --list-sigs?
>
> In general --check-sigs is going to be slower as there is more work to
> do. Whether it is significant or not depends on a number of factors.
> In most cases with 1.4.0, it's not even noticable. In some cases
> (with Elgamal signatures and older GnuPG), it's 20-30 minutes slower.
Also, IINM, signature validities are cached in the (writable) keyring(s).
Valid signatures apparently look like this (pgpdump output):
Old: Trust Packet(tag 12)(2 bytes)
Trust - 00 03
NB: If you want to disable this (and other such) caching, use
--no-sig-cache.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050202/f98dbae2/attachment.pgp
From sk at intertivity.com Wed Feb 2 20:25:05 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 2 20:21:10 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <20050202154055.GA9429@jabberwocky.com>
Message-ID: <000201c5095c$e6dfe040$f300a8c0@HOME>
But it is true that --check-sigs just extends the --list-keys call?
Right?
> Behalf Of David Shaw
> Sent: Mittwoch, 2. Februar 2005 16:41
>
> On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote:
> > Hi.
> >
> > 1. is it true that --check-sigs and --list-sigs have pretty much the
> > same output: --check-sigs just adds the signature information?
>
> --list-sigs shows the sigs. --check-sigs goes one step
> further and checks the sigs for validity.
>
> > 2. is there a significant performance difference between
> --check-sigs
> > and --list-sigs?
>
> In general --check-sigs is going to be slower as there is
> more work to do. Whether it is significant or not depends on
> a number of factors. In most cases with 1.4.0, it's not even
> noticable. In some cases (with Elgamal signatures and older
> GnuPG), it's 20-30 minutes slower.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From thfrdue at gmx.de Wed Feb 2 21:12:18 2005
From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=)
Date: Wed Feb 2 22:08:33 2005
Subject: "Malformed user ID"
Message-ID: <42013422.4070107@gmx.de>
Hi,
everytime I want to encrypt any file/text following error message is
displayed:
"malformed user id"
How can I solve this problem/ what is the cause for this problem?
Thanks very much
Greetz
Thomas
Email: thfrdue@gmx.de
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 01.02.2005
From dshaw at jabberwocky.com Wed Feb 2 22:55:48 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 2 22:52:30 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <20050202175649.GA3466@wilma.widomaker.com>
References: <4200C54D.4040305@intertivity.com>
<20050202154055.GA9429@jabberwocky.com>
<20050202175649.GA3466@wilma.widomaker.com>
Message-ID: <20050202215548.GD9429@jabberwocky.com>
On Wed, Feb 02, 2005 at 12:56:50PM -0500, Jason Harris wrote:
> On Wed, Feb 02, 2005 at 10:40:55AM -0500, David Shaw wrote:
> > On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote:
>
> > > 2. is there a significant performance difference between --check-sigs
> > > and --list-sigs?
> >
> > In general --check-sigs is going to be slower as there is more work to
> > do. Whether it is significant or not depends on a number of factors.
> > In most cases with 1.4.0, it's not even noticable. In some cases
> > (with Elgamal signatures and older GnuPG), it's 20-30 minutes slower.
>
> Also, IINM, signature validities are cached in the (writable) keyring(s).
That's why in most cases with 1.4.0 it's not even noticable. Every
time you check your trustdb, uncached signatures are cached.
David
From pschott at drivefinancial.com Wed Feb 2 23:15:05 2005
From: pschott at drivefinancial.com (Peter Schott)
Date: Wed Feb 2 23:10:51 2005
Subject: Issue with WinPT and GPG versions - resolved
Message-ID: <4E28ECEE2E06784AA8921F82878C889E026C5EA2@DFSTXEXCH3.dfs.com>
Installing the latest complete package from www.winpt.org did the trick.
No idea why it wasn't working when I tried with the other versions. One
more program to check off my list for migrating. :-)
Thanks for the suggestion on the reinstall with the latest version.
Peter A. Schott
drive financial services
Database Administrator
p: 214.237.3567
c: 214.734.1792
f: 214.237.3791
email: pschott@drivefinancial.com
------------------------------
Date: Tue, 1 Feb 2005 22:05:46 +0100
From: Timo Schulz
Subject: Re: Issue with WinPT and GPG versions
On Tue Feb 01 2005; 11:40, Peter Schott wrote:
> Tried to run the latest version of WinPT on a new workstation. For
some
> reason, it can't determine the correct version of GPG with GPG 1.40a
for
This sounds like a problem with 0.9.14. But this is not the latest
version. I know that 0.9.50/0.9.90-cvs will work with GPG >= 1.4.x
You can get 0.9.50 at http://www.winpt.org
Timo
___________________________________________________________________________________
This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C.
Sections 2510-2521. The information contained in this e-mail is confidential
and intended only for use of the individual or entity named above. If the reader
of this message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this message in error or there are any problems
please notify the originator immediately.
The unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. This mail and any attachments have been scanned for viruses
prior to leaving the Drive Financial Services network. Drive Financial Services
will not be liable for direct, special, indirect or consequential damages arising
from alteration of the contents of this message by a third party or as a result of
any virus being passed on.
___________________________________________________________________________________
From wk at gnupg.org Thu Feb 3 08:16:52 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 08:22:20 2005
Subject: --list-sigs, --check-sigs and --list-keys
In-Reply-To: <000201c5095c$e6dfe040$f300a8c0@HOME> (Sascha Kiefer's message
of "Wed, 2 Feb 2005 20:25:05 +0100")
References: <000201c5095c$e6dfe040$f300a8c0@HOME>
Message-ID: <87r7jyi04b.fsf@wheatstone.g10code.de>
On Wed, 2 Feb 2005 20:25:05 +0100, Kiefer, Sascha said:
> But it is true that --check-sigs just extends the --list-keys call?
> Right?
True.
Shalom-Salam,
Werner
From wk at gnupg.org Thu Feb 3 08:23:13 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 09:14:30 2005
Subject: "Malformed user ID"
In-Reply-To: <42013422.4070107@gmx.de> (
=?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Wed, 02 Feb 2005
21:12:18 +0100")
References: <42013422.4070107@gmx.de>
Message-ID: <87mzumhztq.fsf@wheatstone.g10code.de>
On Wed, 02 Feb 2005 21:12:18 +0100, Thomas F D?llmann said:
> everytime I want to encrypt any file/text following error message is
> displayed:
> "malformed user id"
You used an empty string for a user ID (recipient or signer), it does
not match the syntax for a keyid or similar.
You should give an example of what you did and not just a part of the
error message.
Salam-Shalom,
Werner
From bjoern.klement at web.de Thu Feb 3 09:13:30 2005
From: bjoern.klement at web.de (=?iso-8859-1?Q? Bj=F6rn=20Klement ?=)
Date: Thu Feb 3 10:39:07 2005
Subject: Smartcard to decrypt a Filesystem
Message-ID: <857142288@web.de>
Hi,
I want to store a key on a smartcard. And now I want to use the smartcard token to access to an encrypted filesystem or file. I tried to crypt a Filesystem with losetup.
gpg --decrypt /tmp/key.gpg | /sbin/losetup -e AES128 /dev/loop0 /dev/hda6 -p 0
mount /dev/loop0 /crypto
It works fine, but the key is stored local and I want to store the key on a Aladdin Etoken Pro. And other People with the key an there Token should also decrypt the fs.
Thanks.
Bj?rn
__________________________________________________________
Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
weltweit telefonieren! http://freephone.web.de/?mc=021201
From david69 at charter.net Thu Feb 3 10:42:52 2005
From: david69 at charter.net (David)
Date: Thu Feb 3 11:25:01 2005
Subject: RSA subkeys
Message-ID: <20050203094252.GA2406@charter.net>
Hello,
I'm using gpg 1.2.1 on RH9.
I consider generating RSA key as described:
master 2048 RSA key sign only, used for signing sub-keys, doesn't expire
|
|- 2048 RSA sign sub-key, for signing docs, expires
|
|- 4096 RSA encryption sub-key, expires
1. I plan to generate a new sub-key shortly before the previous one
expires. Will my recipients consider the new sub-key as valid since
it is signed by the master key?
2. Are there any compatibility issues I should consider?
Thanks,
David
--
"In theory, there is no difference between theory and practice. But, in
practice, there is."
- Jan L.A. van de Snepscheut -
From wk at gnupg.org Thu Feb 3 12:48:26 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 12:46:32 2005
Subject: [Announce] release candidate for 1.4.1 available
Message-ID: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Hi!
We are pleased to announce the availability of a release candidate for
the forthcoming 1.4.1 version of gnupg:
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
A binary for Windows is also available:
ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k)
ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig
Please try these versions out and report any problems. The installer
used for the Windows binary package is pretty basic right now but
nevertheless a first step. In particular, selecting the language to
use still needs manual interaction. We hope to improve it over time.
Checksums are:
323445ee8e0c1de97243c646538d9f5dae5567ff gnupg-1.4.1rc1.tar.bz2
cda3e84f89dd7a0fd7df59e4c142e7bbb9669cb2 gnupg-w32cli-1.4.1rc1.exe
Noteworthy changes since 1.4.0:
* New --rfc2440-text option which controls how text is handled in
signatures. This is in response to some problems seen with
certain PGP/MIME mail clients and GnuPG version 1.4.0. More
details about this are available at
* New "import-unusable-sigs" and "export-unusable-sigs" tags for
--import-options and --export-options. These are on by
default, and cause GnuPG to not import or export key signatures
that are not usable (e.g. expired signatures).
* New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper
that uses the cURL library to retrieve
keys. This is disabled by default, but may be enabled with the
configure option --with-libcurl. Without this option, the
existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS
are not supported.
* When running a --card-status or --card-edit and a public key is
available, missing secret key stubs will be created on the fly.
Details of the key are listed too.
* The implicit packet dumping in double verbose mode is now send
to stderr and not to stdout.
* [W32] The algorithm for the default home directory changed:
First we look at the environment variable GNUPGHOME, if this one
is not set, we check whether the registry entry
{HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this
fails we use a GnuPG directory below the standard application
data directory (APPDATA) of the current user. Only in the case
that this directory cannot be determined, the old default of
c:\gnupg will be used. The option --homedir still overrides all
of them.
* [W32] The locale selection under Windows changed. You need to
enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang.
For German you would use "de". If it is not set, GnupG falls
back to HKLM. The languages files "*.mo" are expected in a
directory named "gnupg.nls" below the installation directory;
that directory must be stored in the registry at the same key as
above with the name "Install Directory".
Happy Hacking,
David, Timo, Werner
--
Werner Koch
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : /pipermail/attachments/20050203/005c5657/attachment.pgp
From sk at intertivity.com Thu Feb 3 14:19:30 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 3 14:15:36 2005
Subject: capacity of keyring
In-Reply-To: <4200C54D.4040305@intertivity.com>
References: <4200C54D.4040305@intertivity.com>
Message-ID: <420224E2.9070900@intertivity.com>
Hi.
It's me again! :-)
Do you know how many keys can you put into a keystore and
still be fast?
What happens when I put 10.000 keys in there? What about 100.000 keys?
Greetings
esskar
From henkdebruijn at wanadoo.nl Thu Feb 3 15:07:30 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Thu Feb 3 15:03:36 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Message-ID: <5910418497.20050203150730@wanadoo.nl>
On Thu, 03 Feb 2005 12:48:26 +0100GMT (3-2-2005, 12:48 +0100, where I
live), Werner Koch wrote:
> We are pleased to announce the availability of a release candidate for
> the forthcoming 1.4.1 version of gnupg:
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
> A binary for Windows is also available:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe
> (1377k)
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig
> Please try these versions out and report any problems. The installer
> used for the Windows binary package is pretty basic right now but
> nevertheless a first step. In particular, selecting the language to
> use still needs manual interaction. We hope to improve it over time.
Thanks, up and running!
--
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
From thfrdue at gmx.de Thu Feb 3 15:15:10 2005
From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=)
Date: Thu Feb 3 15:11:16 2005
Subject: "Malformed User ID"
Message-ID: <420231EE.20302@gmx.de>
Hi,
as recently posted I get an errormessage if i want to encrypt any File/Text.
I tried it twice:
1. I tried to encrypt a file.
2. I tried to encrypt a mail.
Both ended with the errormessage "Malformed User ID".
I chose another email-address of mine, so i had the public key.
Greetz
Thomas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 01.02.2005
From JediKnight2 at ec.rr.com Thu Feb 3 14:42:25 2005
From: JediKnight2 at ec.rr.com (Kevin Smith)
Date: Thu Feb 3 15:15:08 2005
Subject: Multiple files
Message-ID: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
Is there a way to encrypt multiple files at one time...say I want to encrypt
EVERY file in a folder called tobeencrypted...any easy way??
From dshaw at jabberwocky.com Thu Feb 3 15:19:25 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 3 15:16:03 2005
Subject: Smartcard to decrypt a Filesystem
In-Reply-To: <857142288@web.de>
References: <857142288@web.de>
Message-ID: <20050203141925.GA10077@jabberwocky.com>
On Thu, Feb 03, 2005 at 09:13:30AM +0100, Bj?rn Klement wrote:
> Hi,
>
> I want to store a key on a smartcard. And now I want to use the smartcard token to access to an encrypted filesystem or file. I tried to crypt a Filesystem with losetup.
>
> gpg --decrypt /tmp/key.gpg | /sbin/losetup -e AES128 /dev/loop0 /dev/hda6 -p 0
>
> mount /dev/loop0 /crypto
>
> It works fine, but the key is stored local and I want to store the
> key on a Aladdin Etoken Pro. And other People with the key an there
> Token should also decrypt the fs.
Get yourself one of these: http://www.g10code.de/p-card.html
and you're all set.
David
From johanw at vulcan.xs4all.nl Thu Feb 3 16:42:21 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Thu Feb 3 16:38:44 2005
Subject: Multiple files
In-Reply-To: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
from Kevin Smith at "Feb 3, 2005 08:42:25 am"
Message-ID: <200502031542.QAA03539@vulcan.xs4all.nl>
Kevin Smith wrote:
>Is there a way to encrypt multiple files at one time...say I want to encrypt
>EVERY file in a folder called tobeencrypted...any easy way??
#!/bin/bash
for i in *; do gpg -e -r myname $i; done
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From texmex at uni.de Thu Feb 3 15:36:51 2005
From: texmex at uni.de (Gregor Zattler)
Date: Thu Feb 3 16:56:38 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Message-ID: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
Hi Werner,
* Werner Koch [03. Feb. 2005]:
> We are pleased to announce the availability of a release candidate for
> the forthcoming 1.4.1 version of gnupg:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
>
> A binary for Windows is also available:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k)
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig
>
> Please try these versions out and report any problems. The installer
> used for the Windows binary package is pretty basic right now but
> nevertheless a first step. In particular, selecting the language to
> use still needs manual interaction. We hope to improve it over time.
I installed it with WINE under Linux, imported my pubring.gpg and
successfully checked the signature file.
I installed it on Win98se and got an alarm box saying: gpg.exe is
linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
(Message was shown in german, I translated it. For original see
attached image).
> * [W32] The locale selection under Windows changed. You need to
> enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang.
> For German you would use "de". If it is not set, GnupG falls
> back to HKLM. The languages files "*.mo" are expected in a
> directory named "gnupg.nls" below the installation directory;
> that directory must be stored in the registry at the same key as
> above with the name "Install Directory".
I did this under WINE and the output was half english half german.
The Umlauts didn't show correct. This may be a problem of my WINE
installation.
Gregor
From atom at smasher.org Thu Feb 3 17:24:39 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 17:20:37 2005
Subject: RSA subkeys
In-Reply-To: <20050203094252.GA2406@charter.net>
References: <20050203094252.GA2406@charter.net>
Message-ID: <20050203162428.71861.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 3 Feb 2005, David wrote:
> Hello,
>
> I'm using gpg 1.2.1 on RH9.
=============
gpg 1.4 is better. no comment on RH9.
> I consider generating RSA key as described:
>
> master 2048 RSA key sign only, used for signing sub-keys, doesn't expire
> |
> |- 2048 RSA sign sub-key, for signing docs, expires
> |
> |- 4096 RSA encryption sub-key, expires
>
> 1. I plan to generate a new sub-key shortly before the previous one
> expires. Will my recipients consider the new sub-key as valid since
> it is signed by the master key?
================
why not update the expiration date on the subkeys, and keep them? if
they're not compromised there's no reason to throw them away.
> 2. Are there any compatibility issues I should consider?
=================
RSA support is optional in rfc2440. i've been using an RSA only key for a
while with no problems, mostly with other gpg users.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The shepherd drives the wolf from the sheep's for which
the sheep thanks the shepherd as his liberator, while the
wolf denounces him for the same act as the destroyer of
liberty. Plainly, the sheep and the wolf are not agreed
upon a definition of liberty."
-- Abraham Lincoln
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCAlBNAAoJEAx/d+cTpVcifcgIAIU35WoazW2SArq1tZoENtS0
IONPyp8KvoMkqgcDXFomHNd56yeDqtdSeuXjnwQQI+hsh+NBXzZPC2By/EoZi3FI
V8EQpj6g5jCitvxfZHmdU17R6DlDhndh+wp1kT8bP6IHOQFmrptopyhta0tBD2od
9SylW8krjz1ChjPEeEhEeM8PP9hxVgcWwg4c0oH6B2VLTToC3P21nzD/Qm77y0/x
dzEhoYFAjP7SeOp269kAZCyxnhrU2mE9TF9zuyyYn36t93OTRbuf4xVwz46rcCiB
BEKc7KBovb3263Y1FcXYpXm6qDujDyyaqPcR+tMTJ9xXEvSUk54dOjYxmu5iiYM=
=hGI4
-----END PGP SIGNATURE-----
From atom at smasher.org Thu Feb 3 17:29:41 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 17:25:35 2005
Subject: Multiple files
In-Reply-To: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
Message-ID: <20050203162929.80332.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 3 Feb 2005, Kevin Smith wrote:
> Is there a way to encrypt multiple files at one time...say I want to
> encrypt EVERY file in a folder called tobeencrypted...any easy way??
=====================
--multifile
This modifies certain other commands to accept multiple files for
processing on the command line or read from stdin with each
filename on a separate line. This allows for many files to be
processed at once. --multifile may currently be used along with
--verify, --encrypt, and --decrypt. Note that `--multifile
--verify' may not be used with detached signatures.
second time that this has been asked recently. should it go in the faq?
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"This is Radio Clash
On pirate satellite
Orbiting your living room
Everybody hold on tight"
-- The Clash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCAlF7AAoJEAx/d+cTpVcinNgH/jjnYQJXOKXGJc9hFOK3sX+A
08lapg7nMa7m738UKW72WrP9+U9RtKNiG0SnPiM5jz/fS+bd+0BxI8K+gStKxygl
CXUT+shlnZD80Q7Rw+qSfatL2vxIxrEduhFHCh9IsT4ZWfy5cu/wz8uel4VmawSg
pnH0kCq2OJv5Gb2rExzjp/mKY0p3G/2IMY072k4Jrv9jsrdCxVf6Yij+EeTn488I
Ed6YrXhynQj9wzxZhzeaStVqhGTe9/zumB0KIWvGpBCTbt++3JfoDMzSjlGFSNEV
BEwX4nSZJCtHNSDaFGyY4c8PavFjvCFiTjUhvn6pcnWkY05SkiNJJ/Yh4wTkNgw=
=Mtfz
-----END PGP SIGNATURE-----
From sk at intertivity.com Thu Feb 3 17:44:33 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 3 17:40:39 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
Message-ID: <420254F1.8090506@intertivity.com>
Have you added %SystemRoot%\System and %SystemRoot%\System32 to your
environment path variable?
HTH
Gregor Zattler schrieb:
>I installed it on Win98se and got an alarm box saying: gpg.exe is
>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
>(Message was shown in german, I translated it. For original see
>attached image).
>
>
From Freedom_Lover at pobox.com Thu Feb 3 18:54:28 2005
From: Freedom_Lover at pobox.com (Todd)
Date: Thu Feb 3 18:51:28 2005
Subject: Multiple files
In-Reply-To: <200502031542.QAA03539@vulcan.xs4all.nl>
References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
<200502031542.QAA03539@vulcan.xs4all.nl>
Message-ID: <20050203175427.GA4175@psilocybe.teonanacatl.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johan Wevers wrote:
> Kevin Smith wrote:
>>
>>Is there a way to encrypt multiple files at one time...say I want to
>>encrypt EVERY file in a folder called tobeencrypted...any easy way??
>
> #!/bin/bash
> for i in *; do gpg -e -r myname $i; done
Or, in 1.2.5 and above, use the multifile option:
gpg --multifile --encrypt tobeencrypted/*
That would get you an individually encrypted file for each file in the
directory. You might also want to just tar up the directory and then
encrypt that.
tar -cf - dir/ | gpg -r 0x0123456 --encrypt -o dir.tar.gpg
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
I'm proud to be paying taxes in the U.S. The only thing is-I could be
just as proud for half the money.
-- Arthur Godfrey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iG0EARECAC0FAkICZVMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oIKQCgyQcSRK2W/nzmRPy5uCLmTC6aURIAn2GxQ3O+
uqZvDnzzg2GIYtMFAEQ1
=6K2V
-----END PGP SIGNATURE-----
From shavital at mac.com Thu Feb 3 19:21:39 2005
From: shavital at mac.com (Charly Avital)
Date: Thu Feb 3 19:18:12 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Message-ID: <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Feb 3, 2005, at 6:48 AM, Werner Koch wrote:
> Hi!
>
> We are pleased to announce the availability of a release candidate for
> the forthcoming 1.4.1 version of gnupg:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
Compiled for Macintosh OS X 10.3.7, Darwin 7.7.0, CPU PPC G4 (1.1).
Running OK.
> [...]
> Noteworthy changes since 1.4.0:
>
> * New --rfc2440-text option which controls how text is handled in
> signatures. This is in response to some problems seen with
> certain PGP/MIME mail clients and GnuPG version 1.4.0. More
> details about this are available at
>
> 024408.html>
Self-test correctly verified by two different MUAs that use gpg. When
verifying with PGP 8.1, bad signature (will inform the PGP people).
This message is signed using PGP/MIME (I hope).
>
> * New "import-unusable-sigs" and "export-unusable-sigs" tags for
> --import-options and --export-options. These are on by
> default, and cause GnuPG to not import or export key signatures
> that are not usable (e.g. expired signatures).
The wording is a bit confusing, *for me* that is:
if the tag --import-unusable-sigs is on by default, how will that cause
GnuPG *not* to import key signatures that are not usable? It would seem
that it would cause GnuPG to import key signatures that are not usable.
Ditto for export. Sorry if this sounds dense.
>
> * New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper
> that uses the cURL library to retrieve
> keys. This is disabled by default, but may be enabled with the
> configure option --with-libcurl. Without this option, the
> existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS
> are not supported.
Sorry, missed that one. I'll try an additional ./configure with that
option enabled.
[...]
> Happy Hacking,
>
> David, Timo, Werner
Thanks to you three.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (Darwin)
Comment: GnuPG for Privacy
iD8DBQFCAmvE8SG5rMkbCF4RAthaAJ9kKNRlnQ1LOcNz+HSo6OPDLcnFnQCfWeLS
zxN9PP2tqUjmUSbPB94J6V8=
=vF9g
-----END PGP SIGNATURE-----
From shavital at mac.com Thu Feb 3 19:36:28 2005
From: shavital at mac.com (Charly Avital)
Date: Thu Feb 3 19:32:55 2005
Subject: PGP/MIME signed - (was: [Announce] release candidate for 1.4.1
available)
Message-ID:
Sorry,
my previous message to the list was not signed using PGP/MIME, my
mistake (in fact, my MUA's mistake, but mine all the same).
This one should be.
Charly
MacOS X 10.3.8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 216 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20050203/8cca43f1/PGP.pgp
From wk at gnupg.org Thu Feb 3 19:46:53 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 19:45:37 2005
Subject: RSA subkeys
In-Reply-To: <20050203162428.71861.qmail@smasher.org> (Atom Smasher's
message of "Thu, 3 Feb 2005 11:24:39 -0500 (EST)")
References: <20050203094252.GA2406@charter.net>
<20050203162428.71861.qmail@smasher.org>
Message-ID: <877jlpeb1e.fsf@wheatstone.g10code.de>
On Thu, 3 Feb 2005 11:24:39 -0500 (EST), Atom Smasher said:
> why not update the expiration date on the subkeys, and keep them? if
> they're not compromised there's no reason to throw them away.
You never know whether a key is compromised. Key rollover is actually
a good thing to gain some forward secrecy. It helps against a warrant
to decrypt an old intercepted message - you can claim that you have
destroyed the key a few days after it expired. Ask the UK folks about
that - well, they won't be allowed to tell.
Shalom-Salam,
Werner
From wk at gnupg.org Thu Feb 3 19:50:32 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 19:50:38 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> (Gregor
Zattler's message of "Thu, 3 Feb 2005 15:36:51 +0100")
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
Message-ID: <873bwdeavb.fsf@wheatstone.g10code.de>
On Thu, 3 Feb 2005 15:36:51 +0100, Gregor Zattler said:
> I installed it on Win98se and got an alarm box saying: gpg.exe is
> linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
I feared that one. AFAIK you have to install at least Internet
Exploder 4.5 which updates the shell32.dll - or something like that.
I hope you don't really need it under Wine. Let's see what happens on
native W98
> I did this under WINE and the output was half english half german.
> The Umlauts didn't show correct. This may be a problem of my WINE
> installation.
The German tranlsation has not been updated. The Umlauts do work for
me on the console.
Thanks,
Werner
From wk at gnupg.org Thu Feb 3 19:54:37 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 19:50:46 2005
Subject: "Malformed User ID"
In-Reply-To: <420231EE.20302@gmx.de> (
=?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Thu, 03 Feb 2005
15:15:10 +0100")
References: <420231EE.20302@gmx.de>
Message-ID: <87u0otcw42.fsf@wheatstone.g10code.de>
On Thu, 03 Feb 2005 15:15:10 +0100, Thomas F D?llmann said:
> as recently posted I get an errormessage if i want to encrypt any File/Text.
As said, please post waht you actually did. Tell us the complete
command line you used. If there is a confidential user ID replace the
letters and numbers by others - but not their count.
Salam-Shalom,
Werner
From wk at gnupg.org Thu Feb 3 19:52:38 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 19:50:54 2005
Subject: capacity of keyring
In-Reply-To: <420224E2.9070900@intertivity.com> (Sascha Kiefer's message of
"Thu, 03 Feb 2005 14:19:30 +0100")
References: <4200C54D.4040305@intertivity.com>
<420224E2.9070900@intertivity.com>
Message-ID: <87y8e5cw7d.fsf@wheatstone.g10code.de>
On Thu, 03 Feb 2005 14:19:30 +0100, Sascha Kiefer said:
> What happens when I put 10.000 keys in there? What about 100.000 keys?
10.000 should basically work. 100000 work too but I am pretty sure
that it will be very very slow. gnupg 1.9 will fix this by using a
random access key storage (not yet implemented for OpenPGP).
Werner
From atom at smasher.org Thu Feb 3 19:58:31 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 19:54:23 2005
Subject: RSA subkeys
In-Reply-To: <877jlpeb1e.fsf@wheatstone.g10code.de>
References: <20050203094252.GA2406@charter.net>
<20050203162428.71861.qmail@smasher.org>
<877jlpeb1e.fsf@wheatstone.g10code.de>
Message-ID: <20050203185817.85492.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 3 Feb 2005, Werner Koch wrote:
> On Thu, 3 Feb 2005 11:24:39 -0500 (EST), Atom Smasher said:
>
>> why not update the expiration date on the subkeys, and keep them? if
>> they're not compromised there's no reason to throw them away.
>
> You never know whether a key is compromised. Key rollover is actually a
> good thing to gain some forward secrecy. It helps against a warrant to
> decrypt an old intercepted message - you can claim that you have
> destroyed the key a few days after it expired. Ask the UK folks about
> that - well, they won't be allowed to tell.
=====================
ok, i guess that does have advantages under the UK's IPA(?). here in the
states one is protected against govt abuse by not writing down their
passphrase .
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"They have computers, and they may have
other weapons of mass destruction."
-- Janet Reno, US Attorney General,
27 Feb 1998
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCAnRcAAoJEAx/d+cTpVciWygH/2US+O7KkhSKLRjRxnkFwEfg
sT3AOCB2VZ/Ar5IO/7ovMZmUc/f9pZF26jTheGCR1cmN6aVJoIqUMVPoqIIWKQVE
LwtAHUgmO96z/DiyzKGGkenYljfO7TQ/0Gx0kT6L/bNHF/8zC/bUuGiOsms0QJxH
Lq5vU0RNYdp56YbL8PHjPpmjlAN19D41O37ZsgQYy8CzXzEoRjBP9ibY0LzObWel
073OuRNOg9qY1xRFh+LTvyMXJmRi3pRxOULO73gWCQWmn8/u3dgiDLWp1pH1BPIU
M6AN280/HOPwHpDWBxqbapucjJV9RXaJGdW+oxszw2il4DwtkFApo8WHok4ZAYo=
=DfB5
-----END PGP SIGNATURE-----
From wk at gnupg.org Thu Feb 3 19:56:58 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 19:55:40 2005
Subject: Multiple files
In-Reply-To: <200502031542.QAA03539@vulcan.xs4all.nl> (Johan Wevers's
message of "Thu, 3 Feb 2005 16:42:21 +0100 (MET)")
References: <200502031542.QAA03539@vulcan.xs4all.nl>
Message-ID: <87mzulcw05.fsf@wheatstone.g10code.de>
On Thu, 3 Feb 2005 16:42:21 +0100 (MET), Johan Wevers said:
> Kevin Smith wrote:
>> Is there a way to encrypt multiple files at one time...say I want to encrypt
>> EVERY file in a folder called tobeencrypted...any easy way??
> #!/bin/bash
> for i in *; do gpg -e -r myname $i; done
Or use
--multifile
This modifies certain other commands to accept
multiple files for processing on the command line
or read from stdin with each filename on a
separate line. This allows for many files to be
processed at once. --multifile may currently be
used along with --verify, --encrypt, and
--decrypt. Note that `--multifile --verify' may
not be used with detached signatures.
From huehn-ml at arcor.de Thu Feb 3 20:11:24 2005
From: huehn-ml at arcor.de (=?ISO-8859-1?Q?Thomas_H=FChn?=)
Date: Thu Feb 3 20:07:32 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Message-ID: <4202775C.2020606@arcor.de>
Werner Koch wrote:
> * When running a --card-status or --card-edit and a public key is
> available, missing secret key stubs will be created on the fly.
> Details of the key are listed too.
Very nice. I was surprised it wasn't like that before. :-)
With regards to the "key generation on card" issue you recommended
trying CVS, which I haven't so far. Is that fix in 1.4.1rc?
Thomas
From WilliamsM at hnicorp.com Thu Feb 3 17:22:56 2005
From: WilliamsM at hnicorp.com (WilliamsM (IT))
Date: Thu Feb 3 20:59:18 2005
Subject: gnupg on AIX 5.2 mpih-div.c:453: Can't find a register in class `
MQ_REGS' while reloading `asm'
Message-ID: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com>
All,
Rookie user here, quickly sinking in the quagmire of a go-live project.
While trying to do the Make of gnupg-1.2.6 I receive the following error
along with several other similar just different numbers:
mpih-div.c:453: Can't find a register in class `MQ_REGS' while reloading
`asm'
Found a blurb on the web referring to AIX 4.3 telling me "Perhaps
--disable-asm would help.", but as a rookie, I don't know how to do this. I
would also appreciate if you can help with this, you respond directly in
addition to the users list as I am not sure my subscription is set and that
I get the related emails.
TIA
Regards,
Michael R. Williams
"People can come up with statistics to prove anything, 14% of all people
know that." Homer Simpson
HNI Corporation
Unix System Admin/Progress DBA
(563)264-7292
williamsm@hnicorp.com
From shavital at mac.com Thu Feb 3 21:12:55 2005
From: shavital at mac.com (Charly Avital)
Date: Thu Feb 3 21:09:27 2005
Subject: PGP/MIME signed message - GnuPG 1.4.1rc1 released
Message-ID: <792b097efb955c67c30be31f707ebd7e@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My previous message to the list, that I believed to be signed using
PGP/MIME, was not (my mistake).
That was fortunate, because a second (short) message actually signed
with PGP/MIME was rejected by the list's server, I should have
anticipated that.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (Darwin)
Comment: GnuPG for Privacy
iD8DBQFCAoXS8SG5rMkbCF4RAoJUAJ9HvQtW3AkPs+1BaERajAv+khYPcwCfbtom
uyb8u3OmpJ4OuARwdezdOpg=
=MaTd
-----END PGP SIGNATURE-----
From wk at gnupg.org Thu Feb 3 21:26:54 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 21:25:41 2005
Subject: gnupg on AIX 5.2 mpih-div.c:453: Can't find a register in class
` MQ_REGS' while reloading `asm'
In-Reply-To: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com>
(WilliamsM@hnicorp.com's
message of "Thu, 3 Feb 2005 10:22:56 -0600")
References: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com>
Message-ID: <87zmyl9ypd.fsf@wheatstone.g10code.de>
On Thu, 3 Feb 2005 10:22:56 -0600 , WilliamsM (IT) said:
> Found a blurb on the web referring to AIX 4.3 telling me "Perhaps
> --disable-asm would help.", but as a rookie, I don't know how to do this. I
./configure --disable-asm
make
will do
> would also appreciate if you can help with this, you respond directly in
> addition to the users list as I am not sure my subscription is set
> and that
No, you are not subscribed, I approved it. In general no problem but
there might a few hours or a day of delay.
Werner
From wk at gnupg.org Thu Feb 3 21:29:42 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 21:25:53 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <4202775C.2020606@arcor.de> (
=?utf-8?q?Thomas_H=C3=BChn's_message_of?= "Thu, 03 Feb 2005 20:11:24
+0100")
References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <4202775C.2020606@arcor.de>
Message-ID: <87r7jx9ykp.fsf@wheatstone.g10code.de>
On Thu, 03 Feb 2005 20:11:24 +0100, Thomas H?hn said:
> With regards to the "key generation on card" issue you recommended
> trying CVS, which I haven't so far. Is that fix in 1.4.1rc?
Yes.
From wk at gnupg.org Thu Feb 3 21:28:16 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 3 21:26:04 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <420254F1.8090506@intertivity.com> (Sascha Kiefer's message of
"Thu, 03 Feb 2005 17:44:33 +0100")
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
<420254F1.8090506@intertivity.com>
Message-ID: <87vf999yn3.fsf@wheatstone.g10code.de>
On Thu, 03 Feb 2005 17:44:33 +0100, Sascha Kiefer said:
> Have you added %SystemRoot%\System and %SystemRoot%\System32 to your
> environment path variable?
IIRC, that is one of the default locations searched by LoadModule.
Werner
From johanw at vulcan.xs4all.nl Thu Feb 3 21:23:17 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Thu Feb 3 21:55:47 2005
Subject: RSA subkeys
In-Reply-To: <20050203185817.85492.qmail@smasher.org> from Atom Smasher at
"Feb 3, 2005 01:58:31 pm"
Message-ID: <200502032023.VAA04208@vulcan.xs4all.nl>
Atom Smasher wrote:
>ok, i guess that does have advantages under the UK's IPA(?). here in the
>states one is protected against govt abuse by not writing down their
>passphrase .
In the USA they can "suspect" you of terrorist activity and lock you up in
Guantanamo indefinitely without trial.
In the UK, the trick of adding a message "This key is not requested by the
governemnt" and removing the message if it is can be used.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From johanw at vulcan.xs4all.nl Thu Feb 3 21:58:42 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Thu Feb 3 21:55:56 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> from Werner Koch at "Feb 3,
2005 12:48:26 pm"
Message-ID: <200502032058.VAA04581@vulcan.xs4all.nl>
Werner Koch wrote:
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
I get a bad signature on this file (with gpg 1.4.0).
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k)
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig
This signature checks OK.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From atom at smasher.org Thu Feb 3 22:15:57 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 22:12:02 2005
Subject: RSA subkeys
In-Reply-To: <200502032023.VAA04208@vulcan.xs4all.nl>
References: <200502032023.VAA04208@vulcan.xs4all.nl>
Message-ID: <20050203211542.72055.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 3 Feb 2005, Johan Wevers wrote:
> Atom Smasher wrote:
>
>> ok, i guess that does have advantages under the UK's IPA(?). here in
>> the states one is protected against govt abuse by not writing down
>> their passphrase .
>
> In the USA they can "suspect" you of terrorist activity and lock you up
> in Guantanamo indefinitely without trial.
=============
yeah, but they don't need evidence to do that, so crypto is largely
irrelevant. in fact it could save someone from the gulag... if they
*really* want to know what's encrypted they'll work out a deal. the
guantanamo gulag is reserved for people who can't be convicted anyway.
sooner or later the civilized world will liberate us... or we'll collapse
under our own weight.
> In the UK, the trick of adding a message "This key is not requested by
> the governemnt" and removing the message if it is can be used.
=============
huh? i'm not sure how that works... tell me more...
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The lawgiver, of all beings, most owes the law allegiance.
He of all men should behave as though the law compelled him.
But it is the universal weakness of mankind that what we are
given to administer we presently imagine we own."
-- H.G. Wells
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCApSSAAoJEAx/d+cTpVcio7UH/RX0d/7ctE9jY3HiOlj0+rfM
DBL8DCO48U80Wk3kOMAwb8upXkTLZRoj713DGspfvVnp2pbFuzQnnHzaKgM4pd5f
iTQc5kCqnlPGKahtL80PiRiob0DKoyByTG1SQsmRuwegPHu7VorOEE2tp9xGgzmh
iaCNlB/Em5GurV3++c/gxYHa0paRggTmFp0f/XpeNwaebyab816VFU+W6Js9uw06
FybP6cV93GqkS+fU5nQIN1n7jPDAqoJp3g+3owTvdQl3LwfuGfR4RwPBnFF5gUrU
XL166TYNGj/qGyp6UzDrE2ihiWQqUO6Mm2iPYbDJre+WR7nRVKwD3OcMy7E4v8g=
=JoJs
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Thu Feb 3 22:38:21 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 3 22:35:01 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com>
Message-ID: <20050203213821.GA12554@jabberwocky.com>
On Thu, Feb 03, 2005 at 01:21:39PM -0500, Charly Avital wrote:
> > * New --rfc2440-text option which controls how text is handled in
> > signatures. This is in response to some problems seen with
> > certain PGP/MIME mail clients and GnuPG version 1.4.0. More
> > details about this are available at
> >
> > > 024408.html>
>
> Self-test correctly verified by two different MUAs that use gpg. When
> verifying with PGP 8.1, bad signature (will inform the PGP people).
I'm not sure what didn't work here. What did you verify with PGP 8.1?
> > * New "import-unusable-sigs" and "export-unusable-sigs" tags for
> > --import-options and --export-options. These are on by
> > default, and cause GnuPG to not import or export key signatures
> > that are not usable (e.g. expired signatures).
>
> The wording is a bit confusing, *for me* that is:
> if the tag --import-unusable-sigs is on by default, how will that cause
> GnuPG *not* to import key signatures that are not usable? It would seem
> that it would cause GnuPG to import key signatures that are not usable.
> Ditto for export. Sorry if this sounds dense.
This was a typo. The options are *off* by default.
David
From dany_list at natzo.com Thu Feb 3 21:42:25 2005
From: dany_list at natzo.com (Dany Nativel)
Date: Thu Feb 3 23:04:51 2005
Subject: Any LiveCD with GnuPG 1.4?
In-Reply-To: <41F7D813.6030804@natzo.com>
References: <41F7D813.6030804@natzo.com>
Message-ID: <42028CB1.4050509@natzo.com>
This is the third time I'm trying to post to this list without success.
Dany
Dany Nativel wrote:
> Posted the following one on the 25th but it never showed up on the list!
> Dany
>
> Hello,
>
> I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you
> name it that would have GnuPG 1.4.
>
> I think that a LiveCD/Floppy like this would be the best companion for
> the OpenPGP card during the key generation process. GnuPG 1.4 has
> built-in support for CCID smart card readers so it's really portable
> and provide a (more) secure way to launch an on-card key generation
> with off-card backup (on a floppy for example). The real men don't
> backup their keys ;)
>
> I was hopping that Klik (great tool for adding new applications to
> Knoppix) would have the 1.4 but that's not the case.
>
> So I guess I just have to wait...
>
> Do not hesitate to let me know if you see one around.
>
> PS: Now it's time to get this old Tinfoilinux floppy project back for
> even more protection.
>
> Dany
>
From atom at smasher.org Thu Feb 3 23:25:42 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 23:21:36 2005
Subject: "Malformed User ID"
In-Reply-To: <420231EE.20302@gmx.de>
References: <420231EE.20302@gmx.de>
Message-ID: <20050203222529.17200.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
is the key publicly circulated? if yes, what is the key id?
have you tried specifying the key by key id? or user id?
ie:
gpg -e file -r test@example.com
or
gpg -e file -r 0x12345678
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"What you are seeing is not just a consolidation of seed
companies, it is really a consolidation of the entire food
chain. Since water is as central to food production as seed
is, and without water life is not possible, Monsanto is now
trying to establish its control over water."
-- Robert Farley, Monsanto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCAqTsAAoJEAx/d+cTpVciLxQH/14sHb8U0wlCixBpjBqLCCs+
5rjNyqwUrdEc87887HXZx+Xm1RN/VSbP7A2AK9XM3qf2RlBpCtTv8oelXyAL+s0G
kX9yt6c1TxjquUWZhOXkebrs/wjlt1bm8imAt9jETbTmho4jduIecWEhcPWuVfZ7
wqPElfendmSHYTgKQDcnL/WfultGoKgtHHEBijFOo3D1JP9err2wqLFBkzlC+F8I
NKhCD40HGsI+2WmVM3UXORd6qSrwXvhHd3shTI9eWeEl1Q1PE+NxOnGTtyCclkN3
f95df2NVG6N1sXIjr7aZ9cvPdkERzV4IWE5JWfCaegMMeIm3V/U/RfcgQTFoLj4=
=1Fc4
-----END PGP SIGNATURE-----
From atom at smasher.org Thu Feb 3 23:30:55 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 3 23:26:49 2005
Subject: "Malformed User ID"
In-Reply-To: <20050203222529.17200.qmail@smasher.org>
References: <420231EE.20302@gmx.de> <20050203222529.17200.qmail@smasher.org>
Message-ID: <20050203223039.19885.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 3 Feb 2005, Atom Smasher wrote:
> ie:
> gpg -e file -r test@example.com
> or
> gpg -e file -r 0x12345678
========================
correction to self. that won't work.
i meant:
gpg -er test@example.com file
or
gpg -er 0x12345678 file
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"It must be in our vital interest whether we ever send
troops. The mission must be clear. Soldiers must
understand why we're going. The force must be strong
enough so that the mission can be accomplished. And
the exit strategy needs to be well-defined."
-- George "dubya" Bush
3rd Bush-Gore debate, 17 Oct 2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCAqYkAAoJEAx/d+cTpVciyEMIAISAmQq6vhpEjKSYB2ZYXaZS
yzOM3lwtfbf38NR9EzQDOhmHjL3znv7+qFZL159IW4OJ9N7YAueW4eKc4NWP3rqc
pM8ap1qessVV491aAv5PU8qHrc/29F1ucjQuQ+lqqIcdIvrEn4f9EtPnjArW39C6
iauG4ncLoiyatFh/M6QjbDQ8gOPaub4noU4uZpVR6PsEletAOObDHkfz4p5c3Kdg
QjGFeE/w4KDHY850W2LbghOot7uP+I2s6MoVPxV+tEqn1i52Gyg1XW9rnteXdLl+
v9nrFb+3mtZ+/8gK2IMK/ORCooqmgiQILZ5EMRPkwKsDS4VotvhFCRoiQvnG4xQ=
=HPT9
-----END PGP SIGNATURE-----
From johanw at vulcan.xs4all.nl Fri Feb 4 00:24:25 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri Feb 4 00:21:55 2005
Subject: RSA subkeys
In-Reply-To: <20050203211542.72055.qmail@smasher.org> from Atom Smasher at
"Feb 3, 2005 04:15:57 pm"
Message-ID: <200502032324.AAA13069@vulcan.xs4all.nl>
Atom Smasher wrote:
>> In the UK, the trick of adding a message "This key is not requested by
>> the governemnt" and removing the message if it is can be used.
>huh? i'm not sure how that works... tell me more...
You add a message to all your encrypted files and your key with such a text.
If the gouvernment requests the key, you remove the message.
Bruce Schneier reported some library did the same with gouvernment requests
to log internet activity. They put up a sign "XXX days without logging",
and the suddenly removed the sign, making obvious what happened.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From johanw at vulcan.xs4all.nl Fri Feb 4 00:25:38 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri Feb 4 00:22:04 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> from Werner Koch at "Feb 3,
2005 12:48:26 pm"
Message-ID: <200502032325.AAA13076@vulcan.xs4all.nl>
Werner Koch wrote:
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig
My first report about a bad signature was in error. I redownloaded the
.bz2 file and now it checked OK. Compilation and teste were also OK.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From linux at codehelp.co.uk Fri Feb 4 00:40:27 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Fri Feb 4 00:36:46 2005
Subject: Any LiveCD with GnuPG 1.4?
In-Reply-To: <42028CB1.4050509@natzo.com>
References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com>
Message-ID: <200502032340.30625.linux@codehelp.co.uk>
On Thursday 03 February 2005 8:42 pm, Dany Nativel wrote:
> > I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you
> > name it that would have GnuPG 1.4.
USB - possible, better to probably roll your own if you've got one of those
1Gb USB sticks - probably more work than it is worth to re-hash an iso to
512Mb.
> > So I guess I just have to wait...
Why not try to create your own? It's how all projects start . . .
> > Do not hesitate to let me know if you see one around.
Google is your friend - don't rely on others.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050203/a53785e6/attachment.pgp
From shavital at mac.com Fri Feb 4 00:58:34 2005
From: shavital at mac.com (Charly Avital)
Date: Fri Feb 4 00:54:47 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <20050203213821.GA12554@jabberwocky.com>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com>
<20050203213821.GA12554@jabberwocky.com>
Message-ID: <4202BAAA.8050702@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Shaw wrote:
| * New --rfc2440-text [...]
| I'm not sure what didn't work here. What did you verify with PGP 8.1?
I sent a self-test, PGP/MIME signed message from Thunderbird 1.0:
- - verified with Mail.app and gpg 1.4.1 - good signature
- - verified with Thunderbird 1.0 and gpg 1.4.1 - good signature
- - verified with Eudora and PGP 8.1 - bad signature
But now, an additional test, verified with Mail.app and PGP 8.1 - good
signature.
The only bad signature was with Eudora.
Eudora has a problem with utf-8.
This verification (with Eudora) is not, IMO, valid, and there is no
problem with PGP 8.1's verification.
[...]
|>The wording is a bit confusing, *for me* that is:
|>if the tag --import-unusable-sigs is on by default, how will that cause
|>GnuPG *not* to import key signatures that are not usable? It would seem
|>that it would cause GnuPG to import key signatures that are not usable.
|>Ditto for export. Sorry if this sounds dense.
|
|
| This was a typo. The options are *off* by default.
Thanks for clarifying that.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCArql8SG5rMkbCF4RArWRAJ48NKn5dGUNliq6vcbH/Afaq7LqDQCfRZr0
bKhU3zdkRna87Txn145KqYI=
=20JM
-----END PGP SIGNATURE-----
From freebsd at usol.com Fri Feb 4 01:50:35 2005
From: freebsd at usol.com (Eric Buchanan)
Date: Fri Feb 4 01:47:03 2005
Subject: Multiple files
In-Reply-To: <20050203175427.GA4175@psilocybe.teonanacatl.org>
References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
<200502031542.QAA03539@vulcan.xs4all.nl>
<20050203175427.GA4175@psilocybe.teonanacatl.org>
Message-ID: <200502031650.40727.freebsd@usol.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just used tar and gpg to encrypt the file as shown earlier, and it decrypted
fine, but when I went to untar it, I got this error:
backup/temp/
backup/temp/misc/
backup/temp/misc/autprint.mrk
tar: Skipping to next header
tar: Archive contains obsolescent base-64 headers
tar: Error exit delayed from previous errors
This is version 1.4.0 on FreeBSD 4.11. It only decrypts the first tiny bit of
the decrypted tar archive. It also repeated the exact same error messages
when I ran "gpg -r root --encrypt-files -sta b.tar" and then after
decrypting I run "tar xvf b.tar." My OpenBSD installation is hosed right now
so I can't try repeating this on another platform.
Any ideas? TIA,
Eric Buchanan
El Jue 03 Feb 2005 09:54 AM, Todd escribi?:
> Johan Wevers wrote:
> > Kevin Smith wrote:
> >>Is there a way to encrypt multiple files at one time...say I want to
> >>encrypt EVERY file in a folder called tobeencrypted...any easy way??
> >
> > #!/bin/bash
> > for i in *; do gpg -e -r myname $i; done
>
> Or, in 1.2.5 and above, use the multifile option:
>
> gpg --multifile --encrypt tobeencrypted/*
>
> That would get you an individually encrypted file for each file in the
> directory. You might also want to just tar up the directory and then
> encrypt that.
>
> tar -cf - dir/ | gpg -r 0x0123456 --encrypt -o dir.tar.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCAsbe//GaROrFlAkRAnEnAKDrEWzsmWM4RWYAYE4RKQOSUbDWaQCeIc+4
9Koqv5hDqBS4oJ/5w4Z9mIw=
=yUmJ
-----END PGP SIGNATURE-----
From freebsd at usol.com Fri Feb 4 01:58:58 2005
From: freebsd at usol.com (Eric Buchanan)
Date: Fri Feb 4 01:55:14 2005
Subject: Multiple files
In-Reply-To: <200502031650.40727.freebsd@usol.com>
References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com>
<20050203175427.GA4175@psilocybe.teonanacatl.org>
<200502031650.40727.freebsd@usol.com>
Message-ID: <200502031659.00962.freebsd@usol.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I meant to say "untar" instead of "decrypts only a tiny bit of the archive."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCAsjU//GaROrFlAkRAiUhAJ9zflullHmo01ZiIZ4e250jssNdnwCg4ye1
vwFvl21WJYoExQ00OW8SAwg=
=pjuC
-----END PGP SIGNATURE-----
From david69 at charter.net Fri Feb 4 08:17:46 2005
From: david69 at charter.net (David)
Date: Fri Feb 4 10:03:03 2005
Subject: RSA subkeys
In-Reply-To: <20050203162428.71861.qmail@smasher.org>
References: <20050203094252.GA2406@charter.net>
<20050203162428.71861.qmail@smasher.org>
Message-ID: <20050204071746.GA3234@charter.net>
On Thu, Feb 03, 2005 at 11:24:39AM -0500, Atom Smasher wrote:
>
> gpg 1.4 is better. no comment on RH9.
I will upgrade to 1.4.
>
> why not update the expiration date on the subkeys, and keep them? if
> they're not compromised there's no reason to throw them away.
It may be a good practice if GPG/PGP can automatically consider them as valid
since they are signed with the master key.
>
> RSA support is optional in rfc2440. i've been using an RSA only key for a
> while with no problems, mostly with other gpg users.
Can PGP 5+ handle this kind of key (master RSA + 2 RSA sub-keys)?
Thanks for your help,
David
--
"In theory, there is no difference between theory and practice. But, in
practice, there is."
- Jan L.A. van de Snepscheut -
From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Fri Feb 4 09:49:38 2005
From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn)
Date: Fri Feb 4 10:36:39 2005
Subject: capacity of keyring
In-Reply-To: <420224E2.9070900@intertivity.com>
References: <4200C54D.4040305@intertivity.com>
<420224E2.9070900@intertivity.com>
Message-ID: <42033722.7030302@smgwtest.aachen.utimaco.de>
Hi,
> Do you know how many keys can you put into a keystore and
> still be fast?
> What happens when I put 10.000 keys in there? What about 100.000 keys?
I have done some tests with dumps from a HKP keyserver (> 20MB of data,
25000 keys, SuSE Linux 9.x and own Linux distribution).
GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X
and 1.4.0 did the job but terribly slow.
It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM,
40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM,
SCSI with 64 MB Cache controller).
It's because GnuPG has to scan the whole keyring again and again if you
append keys to it. It's an exponential behaviour.
GnuPG is still a client software not designed to handle such an amount
of keys.
But as Werner mentioned, this may change in future releases ;-).
--
Best Regards,
Holger Sesterhenn
---
Internet http://www.utimaco.de
From wk at gnupg.org Fri Feb 4 11:20:35 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 4 11:48:55 2005
Subject: RSA subkeys
In-Reply-To: <20050204071746.GA3234@charter.net> (david69@charter.net's
message of "Thu, 3 Feb 2005 23:17:46 -0800")
References: <20050203094252.GA2406@charter.net>
<20050203162428.71861.qmail@smasher.org>
<20050204071746.GA3234@charter.net>
Message-ID: <876518aaoc.fsf@wheatstone.g10code.de>
On Thu, 3 Feb 2005 23:17:46 -0800, David said:
> It may be a good practice if GPG/PGP can automatically consider them as valid
> since they are signed with the master key.
It does.
> Can PGP 5+ handle this kind of key (master RSA + 2 RSA sub-keys)?
Yes, unless you have sign-only subkeys where PGP gets it wrong.
Werner
From sk at intertivity.com Fri Feb 4 12:16:57 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 4 12:13:27 2005
Subject: capacity of keyring
In-Reply-To: <42033722.7030302@smgwtest.aachen.utimaco.de>
References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com>
<42033722.7030302@smgwtest.aachen.utimaco.de>
Message-ID: <420359A9.7020908@intertivity.com>
When do you think that 1.9.x is going to be realeased?
Or how "stable" is 1.9 right now?
Holger Sesterhenn schrieb:
> Hi,
>
>> Do you know how many keys can you put into a keystore and
>> still be fast?
>> What happens when I put 10.000 keys in there? What about 100.000 keys?
>
>
> I have done some tests with dumps from a HKP keyserver (> 20MB of
> data, 25000 keys, SuSE Linux 9.x and own Linux distribution).
> GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X
> and 1.4.0 did the job but terribly slow.
>
> It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM,
> 40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM,
> SCSI with 64 MB Cache controller).
>
> It's because GnuPG has to scan the whole keyring again and again if
> you append keys to it. It's an exponential behaviour.
>
> GnuPG is still a client software not designed to handle such an amount
> of keys.
>
> But as Werner mentioned, this may change in future releases ;-).
From sk at intertivity.com Fri Feb 4 12:36:40 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 4 12:32:51 2005
Subject: capacity of keyring
In-Reply-To: <42033722.7030302@smgwtest.aachen.utimaco.de>
References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com>
<42033722.7030302@smgwtest.aachen.utimaco.de>
Message-ID: <42035E48.1090501@intertivity.com>
Yes. It's pretty worse.
gpg: Total number processed: 569
gpg: w/o user IDs: 3
gpg: imported: 434 (RSA: 36)
gpg: unchanged: 132
the program is still running:
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
gpg 3836 8 1 24 230048 0:14:35.265 0:15:55.496
Hmm, thats pretty bad and i have to overthink my ideas!
Holger Sesterhenn schrieb:
> Hi,
>
>> Do you know how many keys can you put into a keystore and
>> still be fast?
>> What happens when I put 10.000 keys in there? What about 100.000 keys?
>
>
> I have done some tests with dumps from a HKP keyserver (> 20MB of
> data, 25000 keys, SuSE Linux 9.x and own Linux distribution).
> GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X
> and 1.4.0 did the job but terribly slow.
>
> It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM,
> 40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM,
> SCSI with 64 MB Cache controller).
>
> It's because GnuPG has to scan the whole keyring again and again if
> you append keys to it. It's an exponential behaviour.
>
> GnuPG is still a client software not designed to handle such an amount
> of keys.
>
> But as Werner mentioned, this may change in future releases ;-).
From texmex at uni.de Fri Feb 4 13:44:10 2005
From: texmex at uni.de (Gregor Zattler)
Date: Fri Feb 4 14:00:47 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <873bwdeavb.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
<873bwdeavb.fsf@wheatstone.g10code.de>
Message-ID: <20050204124410.GF21069@pit.ID-43118.user.dfncis.de>
Hi Werner,
* Werner Koch [03. Feb. 2005]:
> On Thu, 3 Feb 2005 15:36:51 +0100, Gregor Zattler said:
>
> > I installed it on Win98se and got an alarm box saying: gpg.exe is
> > linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
>
> I feared that one. AFAIK you have to install at least Internet
> Exploder 4.5 which updates the shell32.dll - or something like that.
IE 5.00 is installed. But perhaps updating of the dll was not
allowed, when this was installed!?
shell32.dll is version 4.72.3612.1700
> I hope you don't really need it under Wine.
Sure. I do not need it under Wine.
> Let's see what happens on
> native W98
>
> > I did this under WINE and the output was half english half german.
> > The Umlauts didn't show correct. This may be a problem of my WINE
> > installation.
>
> The German tranlsation has not been updated. The Umlauts do work for
> me on the console.
On the Linux console? Yes, me too.
Gregor
From texmex at uni.de Fri Feb 4 13:35:23 2005
From: texmex at uni.de (Gregor Zattler)
Date: Fri Feb 4 14:03:19 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <420254F1.8090506@intertivity.com>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
<420254F1.8090506@intertivity.com>
Message-ID: <20050204123523.GE21069@pit.ID-43118.user.dfncis.de>
Hi Sascha,
* Sascha Kiefer [03. Feb. 2005]:
> Have you added %SystemRoot%\System and %SystemRoot%\System32 to your
> environment path variable?
No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
I set it to
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32
the Problem remained.
Gregor
>
> HTH
>
> Gregor Zattler schrieb:
>
> >I installed it on Win98se and got an alarm box saying: gpg.exe is
> >linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
> >(Message was shown in german, I translated it. For original see
> >attached image).
> >
> >
>
>
From ml at bitfalle.org Fri Feb 4 13:09:37 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 4 14:06:31 2005
Subject: Any LiveCD with GnuPG 1.4?
In-Reply-To: <42028CB1.4050509@natzo.com>
References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com>
Message-ID: <20050204120937.GA3272@dantooine>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dany Nativel wrote:
> >I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you
> >name it that would have GnuPG 1.4.
just build your own. runt is a good starting point if you ask me :-)
- --
Bastard Administrator in $hell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCA2YBLMyTO8Kj/uQRAj21AJ0XcyEUGi8O2Y1blTXt00P70ZIcJgCfdlfS
jv875sFTOOgsz/hMEmqTqs0=
=U6lL
-----END PGP SIGNATURE-----
From LTottman at careline-services.co.uk Fri Feb 4 14:07:51 2005
From: LTottman at careline-services.co.uk (LTottman@careline-services.co.uk)
Date: Fri Feb 4 14:57:44 2005
Subject: GPG question
Message-ID: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3>
We have a file that needs encrypting on a daily basis. The filename changes
from day to day, is gpg able to give the encrypted file the same name it had
before it was encrypted without specifying it in the command line. Can the
encrypted filename be generated automatically?
Any helps would be appreciated
L
DISCLAIMER: This e-mail contains proprietary information
some or all of which may be legally privileged. It is for the
intended recipient only. If an addressing error has misdirected
this e-mail, please notify the author by replying to this e-mail.
If you are not the intended recipient you must not use,
disclose, distribute, copy, print or rely on this e-mail.
From sk at intertivity.com Fri Feb 4 16:27:56 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 4 16:24:07 2005
Subject: release candidate for 1.4.1 available
In-Reply-To: <20050204123523.GE21069@pit.ID-43118.user.dfncis.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <420254F1.8090506@intertivity.com>
<20050204123523.GE21069@pit.ID-43118.user.dfncis.de>
Message-ID: <4203947C.7060307@intertivity.com>
:)
%SystemRoot% = c:\Windows
=> PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM32
and the restart will always help!
Gregor Zattler schrieb:
>Hi Sascha,
>* Sascha Kiefer [03. Feb. 2005]:
>
>
>>Have you added %SystemRoot%\System and %SystemRoot%\System32 to your
>>environment path variable?
>>
>>
>
>No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
>I set it to
>PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32
>
>the Problem remained.
>
>Gregor
>
>
>
>
>>HTH
>>
>>Gregor Zattler schrieb:
>>
>>
>>
>>>I installed it on Win98se and got an alarm box saying: gpg.exe is
>>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
>>>(Message was shown in german, I translated it. For original see
>>>attached image).
>>>
>>>
>>>
>>>
>>
>>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
From thfrdue at gmx.de Fri Feb 4 17:08:27 2005
From: thfrdue at gmx.de (=?ISO-8859-1?Q?=22Thomas_F=2E_D=FCllmann=22?=)
Date: Fri Feb 4 17:05:12 2005
Subject: "Malformed User ID"
In-Reply-To: <20050203223039.19885.qmail@smasher.org>
References: <420231EE.20302@gmx.de> <20050203222529.17200.qmail@smasher.org>
<20050203223039.19885.qmail@smasher.org>
Message-ID: <42039DFB.4090301@gmx.de>
Hi,
I did as Atom Smasher told me,
but it's still the same error Message ("malformed user id").
I also tried to create a new key and crypt with it, but the same message
again.
I don't know what else to describe.
Greetz
Thomas
Email: thfrdue@gmx.de
Atom Smasher schrieb:
> i meant:
> gpg -er test@example.com file
> or
> gpg -er 0x12345678 file
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005
From dshaw at jabberwocky.com Fri Feb 4 15:19:31 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 4 17:12:53 2005
Subject: GPG question
In-Reply-To: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3>
References: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3>
Message-ID: <20050204141931.GA22324@jabberwocky.com>
On Fri, Feb 04, 2005 at 01:07:51PM -0000, LTottman@careline-services.co.uk wrote:
> We have a file that needs encrypting on a daily basis. The filename changes
> from day to day, is gpg able to give the encrypted file the same name it had
> before it was encrypted without specifying it in the command line. Can the
> encrypted filename be generated automatically?
GnuPG automatically includes the original filename inside the
encrypted file. Include the --use-embedded-filename option when
decrypting to use this name when decrypting.
David
From texmex at uni.de Fri Feb 4 17:47:56 2005
From: texmex at uni.de (Gregor Zattler)
Date: Fri Feb 4 17:44:48 2005
Subject: it's not a PATH problem (was: Re: release candidate for 1.4.1
available)
In-Reply-To: <4203947C.7060307@intertivity.com>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de>
<420254F1.8090506@intertivity.com>
<20050204123523.GE21069@pit.ID-43118.user.dfncis.de>
<4203947C.7060307@intertivity.com>
Message-ID: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de>
Hi Sascha,
* Sascha Kiefer [04. Feb. 2005]:
> :)
>
> %SystemRoot% = c:\Windows
> => PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM32
>
> and the restart will always help!
ah, I see my typo. Did as you wrote (cut 'n paste in autoexec.lbat,
reebot, tested %PATH%, cd to C:\Programme\GNU\GnuPG, "gpg --help"
--> said error message) but didn't help.
Gregor
>
>
> Gregor Zattler schrieb:
>
> >Hi Sascha,
> >* Sascha Kiefer [03. Feb. 2005]:
> >
> >
> >>Have you added %SystemRoot%\System and %SystemRoot%\System32 to your
> >>environment path variable?
> >>
> >>
> >
> >No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
> >I set it to
> >PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32
> >
> >the Problem remained.
> >
> >Gregor
> >
> >
> >
> >
> >>HTH
> >>
> >>Gregor Zattler schrieb:
> >>
> >>
> >>
> >>>I installed it on Win98se and got an alarm box saying: gpg.exe is
> >>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
> >>>(Message was shown in german, I translated it. For original see
> >>>attached image).
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
>
>
From sk at intertivity.com Fri Feb 4 17:07:05 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 4 18:26:19 2005
Subject: Signing a Key
Message-ID: <42039DA9.8020306@intertivity.com>
Hi,
when i used to sign a key using 1.2.4 i was asked how good i know the
person which partly reflected "Signature Types" of RFC2440,5 .
But know (1.4.0a) i won't be asked anymore and the signature type is
always 0x10
Best thanks
esskar
From atom at smasher.org Fri Feb 4 19:17:32 2005
From: atom at smasher.org (Atom Smasher)
Date: Fri Feb 4 19:13:39 2005
Subject: Signing a Key
In-Reply-To: <42039DA9.8020306@intertivity.com>
References: <42039DA9.8020306@intertivity.com>
Message-ID: <20050204181714.71249.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 4 Feb 2005, Sascha Kiefer wrote:
> Hi, when i used to sign a key using 1.2.4 i was asked how good i know
> the person which partly reflected "Signature Types" of RFC2440,5 . But
> know (1.4.0a) i won't be asked anymore and the signature type is always
> 0x10
==================
--ask-cert-level
--no-ask-cert-level
When making a key signature, prompt for a certification level.
If this option is not specified, the certification level used is
set via --default-cert-level. See --default-cert-level for
information on the specific levels and how they are used.
--no-ask-cert-level disables this option. This option defaults to
no.
this used to default to yes. now you have to specify it explicitly. also
check out "--default-cert-level". i have both in my config.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Not a single war has been fought by vegetarians."
-- Akbarali Jetha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCA7xCAAoJEAx/d+cTpVcil+gIAL/gJc73lr3fkZRi7MG19CL2
Sv4gj9t0MrnqabHupO4dU0leyu05ontF7hx/cnt/nanNyDRj57MLfYmavFO3I4+G
0zZ3YGaHCrs9Q4NgPid415GZlQ2gtLjwT7ibGtOkUxFalON3wEt/GT8e69WkANwF
2cEqK015EGBivLLRNBWxwi6DVHa/KdaI9tGnBspCYMSaMB44ECDDXlqjnVt4IXrI
9h/meMkgxM8jg2qxio4hmVAdRzBnuITauGiTrLqPN1xyagwBwNh3iGt5ifdov5au
7zlw8TxqsuQzRHRhGpUgy+ulfhfNdA/vogk212DjzLLG1U8MS07ov8xOE3hNkWU=
=NpHg
-----END PGP SIGNATURE-----
From ml at bitfalle.org Fri Feb 4 19:29:04 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 4 19:26:14 2005
Subject: Signing a Key
In-Reply-To: <42039DA9.8020306@intertivity.com>
References: <42039DA9.8020306@intertivity.com>
Message-ID: <20050204182904.GA3110@dantooine>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sascha Kiefer wrote:
> when i used to sign a key using 1.2.4 i was asked how good i know the
> person which partly reflected "Signature Types" of RFC2440,5 .
> But know (1.4.0a) i won't be asked anymore and the signature type is
> always 0x10
i noticed that, too. by adding *-cert-level options to config file it
works as before again.
- --
Bastard Administrator in $hell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCA77vLMyTO8Kj/uQRAijcAJ92y4coSNOuhsZwWs6vi1FFICpKkwCaA6LF
i72TJ4mBFwGIaSE9ZjC9jFM=
=CbBE
-----END PGP SIGNATURE-----
From ml at bitfalle.org Fri Feb 4 19:31:43 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 4 19:28:39 2005
Subject: Signing a Key
In-Reply-To: <20050204181714.71249.qmail@smasher.org>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
Message-ID: <20050204183143.GB3110@dantooine>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Atom Smasher wrote:
> this used to default to yes. now you have to specify it explicitly. also
> check out "--default-cert-level". i have both in my config.
newbies will stumble upon this... just curious, any idea why this was
changed? i really don't see why it was necessary.
- --
Bastard Administrator in $hell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCA7+PLMyTO8Kj/uQRAgcRAJ9/FQKraryLD72xZlpPSjr5v2prywCeLf+p
m+3/dPfZio3sq/iDK+UPy8k=
=ymmQ
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Fri Feb 4 19:39:05 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 4 19:35:57 2005
Subject: Signing a Key
In-Reply-To: <20050204183143.GB3110@dantooine>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
Message-ID: <20050204183905.GC22572@jabberwocky.com>
On Fri, Feb 04, 2005 at 07:31:43PM +0100, markus reichelt wrote:
> Atom Smasher wrote:
> > this used to default to yes. now you have to specify it explicitly. also
> > check out "--default-cert-level". i have both in my config.
>
> newbies will stumble upon this... just curious, any idea why this was
> changed? i really don't see why it was necessary.
Some people decided that since a level 1 "I didn't check at all"
signature type was available, that it was a Real Good Idea to sign
every single key they saw.
Also, it's one more thing to have to explain to newbies. If they
don't see the question, they don't have to ask.
David
From atom at smasher.org Fri Feb 4 19:44:01 2005
From: atom at smasher.org (Atom Smasher)
Date: Fri Feb 4 19:39:49 2005
Subject: Signing a Key
In-Reply-To: <20050204183143.GB3110@dantooine>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
Message-ID: <20050204184342.89686.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 4 Feb 2005, markus reichelt wrote:
> Atom Smasher wrote:
>> this used to default to yes. now you have to specify it explicitly.
>> also check out "--default-cert-level". i have both in my config.
>
> newbies will stumble upon this... just curious, any idea why this was
> changed? i really don't see why it was necessary.
======================
i think too many noobs were being confused by the prompt. the theory now
seems to be that if you know about levels, you'll figure out how to sign
with a desired level. for everyone else, it defaults to 0x10.
IFIAK, PGP(tm) is still only capable of issuing 0x10 key signatures.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The idea that Bill Gates has appeared like a knight
in shining armor to lead all customers out of a mire
of technological chaos neatly ignores the fact that
it was he, who by peddling second-rate technology,
led them into it in the first place."
-- Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCA8J3AAoJEAx/d+cTpVci24IH/0Z+bNiR0o0dru+BoYmfaiQ5
ZOHML7ZjjUDBITe/Yiioml2+zjYDdhtQOWRygOZ1vVKXsbqK+oG5RGbaztUeS63g
OlVUQeIe2LBW9YIHLIzH0Htxd6C56i0D2EN7/EGCsZv+ELE2kVK/9XuKAckssgCl
kuLHVoxvL8pFM1UVfOT4CzAXxMF3666BdmBAVb9y+CSsTb155R0V9znDWRfPhhGY
WdXcFw2G8u44sIO7hQKt7sjksa8p9bC2D9K1MrmYuGTXR3wAF7tZ5f2o4heSOmt3
mWVWZDbk4HfPg9w+Xs65swMC7jPsSSknn4fYm/sw0qEhlHsK0T4Znvtp+PeHP6U=
=5KCE
-----END PGP SIGNATURE-----
From deleemo at yahoo.com Fri Feb 4 19:43:43 2005
From: deleemo at yahoo.com (David Lee)
Date: Fri Feb 4 20:40:28 2005
Subject: PGP 7.1 Decryption failed bad key
Message-ID: <20050204184343.29252.qmail@web52301.mail.yahoo.com>
Created new key pair in 1.4. Exported the public key
to pgp 7.1. It now works.
pubkey enc packet: version 3, algo 16,
data: [2048 bits]
data: [2048 bits]
Why does pgp 7.1 not work with the old public key?
Looking for help with additional directions to solve
this problem. Using gnupg 1.4.
exported keys from old keyring imported into 1.4
keyring. Old version 1.0.3
looked on gnupg-users for anything related, did not
find any particular solution.
I have other customers that use pgp that I am not
having a problem with even with 1.0.3
Is it possible that the character set is an issue. My
software is running under hpux11.
Any ideas would be greatly appreciated. The other
party also indicated that they encrypt files that are
used by their customers running gunpg. Don't
particularly want to create a new secret and public
key for
these guys but will if that is the solution.
311 /transapps/adi/gpg> gpg -v -v -v --decrypt
Testfile.pgp
gpg: using character set `utf-8'
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more
information
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: PGP 7.1
:marker packet:
50 47 50
:pubkey enc packet: version 3, algo 16, keyid
XXXXXXXXXXXXX
data: [1024 bits]
data: [1024 bits]
gpg: public key is XXXXXXX
gpg: using secondary key XXXXXXX instead of primary
key XXXXXXX
You need a passphrase to unlock the secret key for
user: "ediup101 (Transentric Public Key for GTE)
"
gpg: using secondary key XXXXXXX instead of primary
key XXXXXXX
1024-bit ELG-E key, ID XXXXXXX, created 2000-10-16
(main key ID XXXXXXX)
gpg: public key encrypted data: good DEK
:encrypted data packet:
length: 632
gpg: encrypted with 1024-bit ELG-E key, ID XXXXXXX,
created 2000-10-16
"ediup101 (Transentric Public Key for GTE)
"
gpg: TWOFISH encrypted data
gpg: decryption failed: bad key
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250
From jharris at widomaker.com Fri Feb 4 20:57:08 2005
From: jharris at widomaker.com (Jason Harris)
Date: Fri Feb 4 20:53:31 2005
Subject: Signing a Key
In-Reply-To: <20050204183905.GC22572@jabberwocky.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
Message-ID: <20050204195707.GC3466@wilma.widomaker.com>
On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote:
> Some people decided that since a level 1 "I didn't check at all"
> signature type was available, that it was a Real Good Idea to sign
> every single key they saw.
In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.)
sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only
issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs.
0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592
such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance)
issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127.
Only two individuals issued more 0x11 sigs than my 40.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050204/2657d475/attachment.pgp
From dshaw at jabberwocky.com Fri Feb 4 21:48:31 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 4 21:45:19 2005
Subject: Signing a Key
In-Reply-To: <20050204195707.GC3466@wilma.widomaker.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
Message-ID: <20050204204831.GD22572@jabberwocky.com>
On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote:
> On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote:
>
> > Some people decided that since a level 1 "I didn't check at all"
> > signature type was available, that it was a Real Good Idea to sign
> > every single key they saw.
>
> In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.)
> sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only
> issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs.
> 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592
> such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance)
> issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127.
> Only two individuals issued more 0x11 sigs than my 40.
I'm afraid I don't see the point you're trying to make.
David
From mconahan at iotest.org Fri Feb 4 22:38:17 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Fri Feb 4 22:34:32 2005
Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
Message-ID: <4203EB49.20604@iotest.org>
Does anyone know how to create a RFC 3156 compliant PGP encrypted
message with Gnu PG? I am building an app that is making use of the Gnu
PG functionality, and I am having some trouble getting other PGP apps
(said to be 3156 compliant) to accept it. I have read both RFC 3156 and
2015, and I seem to be missing something, since it isn't working.
Does anyone know of tutorial site, or has a script that creates a RFC
3156 compliant message? Any help would be appreciated.
From sk at intertivity.com Fri Feb 4 23:01:36 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Fri Feb 4 22:57:41 2005
Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
In-Reply-To: <4203EB49.20604@iotest.org>
Message-ID: <000e01c50b05$19144cf0$f300a8c0@HOME>
Well, you have to build the MIME structure yourself.
As far as i know GnuPG does not know about MIME in particular.
Have fun.
esskar
> -----Original Message-----
> From: gnupg-users-bounces@gnupg.org
> [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of
> mconahan@iotest.org
> Sent: Freitag, 4. Februar 2005 22:38
> To: gnupg-users@gnupg.org
> Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
>
>
> Does anyone know how to create a RFC 3156 compliant PGP encrypted
> message with Gnu PG? I am building an app that is making use
> of the Gnu
> PG functionality, and I am having some trouble getting other PGP apps
> (said to be 3156 compliant) to accept it. I have read both
> RFC 3156 and
> 2015, and I seem to be missing something, since it isn't working.
>
> Does anyone know of tutorial site, or has a script that creates a RFC
> 3156 compliant message? Any help would be appreciated.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From JPClizbe at comcast.net Fri Feb 4 23:09:46 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Fri Feb 4 23:06:27 2005
Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
In-Reply-To: <4203EB49.20604@iotest.org>
References: <4203EB49.20604@iotest.org>
Message-ID: <4203F2AA.2030909@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
mconahan@iotest.org wrote:
> Does anyone know how to create a RFC 3156 compliant PGP encrypted
> message with Gnu PG? I am building an app that is making use of the Gnu
> PG functionality, and I am having some trouble getting other PGP apps
> (said to be 3156 compliant) to accept it. I have read both RFC 3156 and
> 2015, and I seem to be missing something, since it isn't working.
>
> Does anyone know of tutorial site, or has a script that creates a RFC
> 3156 compliant message? Any help would be appreciated.
Check the source code for Enigmail or Mutt.
- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
GingerBear Consluting PGP/GPG KeyID: 0x608D2A10
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the ?33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCA/KqHQSsSmCNKhARAgl6AJ9dLvtPYylG6TYZUrNtG4sBa7G8DACfVys1
ApG+APz5W7ZYy08NX/nHjwY=
=v595
-----END PGP SIGNATURE-----
From jharris at widomaker.com Sat Feb 5 00:51:31 2005
From: jharris at widomaker.com (Jason Harris)
Date: Sat Feb 5 00:47:53 2005
Subject: Signing a Key
In-Reply-To: <20050204204831.GD22572@jabberwocky.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
<20050204204831.GD22572@jabberwocky.com>
Message-ID: <20050204235131.GD3466@wilma.widomaker.com>
On Fri, Feb 04, 2005 at 03:48:31PM -0500, David Shaw wrote:
> On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote:
> > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote:
> > > Some people decided that since a level 1 "I didn't check at all"
> > > signature type was available, that it was a Real Good Idea to sign
> > > every single key they saw.
> >
> > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.)
> > sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only
> > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs.
> > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592
> > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance)
> > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127.
> > Only two individuals issued more 0x11 sigs than my 40.
>
> I'm afraid I don't see the point you're trying to make.
Looking at the stats, the number of people issuing 0x11 signatures
doesn't seem worrisome, and having issued 40 such sigs myself, there
are only two individuals I'd question about issuing even more
(specifically, 69 and 52) 0x11 signatures.
Furthermore, since the RFC allows one to explicitly assert (quoting
draft-ietf-openpgp-rfc2440bis-12.txt):
0x11: Persona certification of a User ID and Public Key packet.
The issuer of this certification has not done any verification
of the claim that the owner of this key is the User ID
specified.
rather than always just:
0x10: Generic certification of a User ID and Public Key packet.
The issuer of this certification does not make any particular
assertion as to how well the certifier has checked that the
owner of the key is in fact the person described by the User ID.
Note that all PGP "key signatures" are this type of
certification.
I feel everyone should be given the opportunity to do so. Per the RFC,
0x11 sigs don't even require email verification, so I see no harm in
allowing one to state "I checked nothing" v. "I won't tell you what I
did and/or didn't check." Even requiring a policy URL or other
explanation/justification for each signature won't allow us to determine
the _highly subjective_ nature of one's signature levels in any automated
way, by definition in the RFC:
Please note that the vagueness of these certification claims is
not a flaw, but a feature of the system. Because PGP places
final authority for validity upon the receiver of a
certification, it may be that one authority's casual
certification might be more rigorous than some other authority's
positive certification. These classifications allow a
certification authority to issue fine-grained claims.
so we may as well resign ourselves to this fact.
(Thus, GPG's --min-cert-level probably needs to be settable per signer -
after reviewing the signer's policies - to account for these differences.)
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050204/ea4e2bf1/attachment.pgp
From dshaw at jabberwocky.com Sat Feb 5 02:46:05 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 5 02:43:08 2005
Subject: Signing a Key
In-Reply-To: <20050204235131.GD3466@wilma.widomaker.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
<20050204204831.GD22572@jabberwocky.com>
<20050204235131.GD3466@wilma.widomaker.com>
Message-ID: <20050205014605.GA23212@jabberwocky.com>
On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote:
> On Fri, Feb 04, 2005 at 03:48:31PM -0500, David Shaw wrote:
> > On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote:
> > > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote:
>
> > > > Some people decided that since a level 1 "I didn't check at all"
> > > > signature type was available, that it was a Real Good Idea to sign
> > > > every single key they saw.
> > >
> > > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.)
> > > sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only
> > > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs.
> > > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592
> > > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance)
> > > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127.
> > > Only two individuals issued more 0x11 sigs than my 40.
> >
> > I'm afraid I don't see the point you're trying to make.
>
> Looking at the stats, the number of people issuing 0x11 signatures
> doesn't seem worrisome, and having issued 40 such sigs myself, there
> are only two individuals I'd question about issuing even more
> (specifically, 69 and 52) 0x11 signatures.
>
> Furthermore, since the RFC allows one to explicitly assert (quoting
> draft-ietf-openpgp-rfc2440bis-12.txt):
[ snip RFC quoting ]
> I feel everyone should be given the opportunity to do so. Per the RFC,
> 0x11 sigs don't even require email verification, so I see no harm in
> allowing one to state "I checked nothing" v. "I won't tell you what I
> did and/or didn't check." Even requiring a policy URL or other
> explanation/justification for each signature won't allow us to determine
> the _highly subjective_ nature of one's signature levels in any automated
> way, by definition in the RFC:
[ snip more RFC quoting ]
> so we may as well resign ourselves to this fact.
Facts are interesting things. The RFC doesn't specify a trust model
anywhere. Thus, all programs accept a 0x11 (or 0x10, 0x12 or 0x13)
signature... but treat them all the same. Perfectly compliant to the
RFC.
0x11 signatures are also interesting things. When made by people (as
opposed to robots) they are in effect someone making a public
statement to say "Hey, look, I made a lousy signature". I can't
imagine why someone would choose to advertise far and wide how
terrible their signing policy is, but GnuPG allows people to do stupid
things if they really want to.
GnuPG will quite happily make 0x11 signatures. It just doesn't do so
by default. Those people who want to make typed signatures can set
--ask-cert-level and then everyone is happy.
Similarly, by default GnuPG ignores 0x11 signatures. Like issuing
them, this doesn't stop anyone from accepting 0x11 signatures. Any
user who cares to can opt-in via "--min-cert-level 1" and accept any
signatures they like. Given that the whole point of an 0x11 signature
is to say "I didn't check AT ALL", ignoring them by default is safer
than accepting them.
To put this another way, the RFC allows a sender to send foolish
things. It does not require the recipient to accept them.
> (Thus, GPG's --min-cert-level probably needs to be settable per signer -
> after reviewing the signer's policies - to account for these differences.)
Your own statistics argue against this. 589 people in the entire
OpenPGP world actually issued 0x11 signatures. Just 293 people issued
more than one. Given the number of people using OpenPGP, 293 people
is a rounding error. That's not worth having a whole new trust model
for, especially given the serious security ramifications of 0x11
signatures, be vastly more confusing to new users, and be incompatible
with PGP to boot.
David
From devegades at gmail.com Sat Feb 5 09:26:41 2005
From: devegades at gmail.com (Toni)
Date: Sat Feb 5 10:22:57 2005
Subject: Howto multiple mail accts.
Message-ID: <9d7e2bf905020500264adbfe92@mail.gmail.com>
Hi,
I'm new to gpg and have some doubts I could not google. Please direct
me to a FAQ / HOWTO / etc if such document exists:
I have several mail accounts, some personal, some for work, etc. I
have seen three possibilities to deal with this:
- Add multiple UIDs to my main key
- Have multiple signing subkeys
- Have secondary "complete" keys signed by my main key.
I've been reading the pros/cons of each aproach and can't make up my
mind to what is the best approach.
Right now I thinnk the best would be to have a main key, with no
e-mail at all and use this to sign other keys, one for each mail
account.
What do you think?
Thanks for answers,
Toni
From sk at intertivity.com Sat Feb 5 12:10:37 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Sat Feb 5 12:07:07 2005
Subject: it's not a PATH problem (was: Re: release candidate for
1.4.1available)
In-Reply-To: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de>
Message-ID: <000401c50b73$524f4b00$f300a8c0@HOME>
Hi.
Installing
http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1-
a5d6-dbfa18d37e0f&DisplayLang=en
may be helps.
esskar
> -----Original Message-----
> From: gnupg-users-bounces@gnupg.org
> [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler
> Sent: Freitag, 4. Februar 2005 17:48
> To: gnupg-users
> Subject: it's not a PATH problem (was: Re: release candidate
> for 1.4.1available)
>
>
> Hi Sascha,
> * Sascha Kiefer [04. Feb. 2005]:
> > :)
> >
> > %SystemRoot% = c:\Windows
> > =>
> >
> PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM
> > 32
> >
> > and the restart will always help!
>
> ah, I see my typo. Did as you wrote (cut 'n paste in
> autoexec.lbat, reebot, tested %PATH%, cd to
> C:\Programme\GNU\GnuPG, "gpg --help"
> --> said error message) but didn't help.
>
> Gregor
>
>
> >
> >
> > Gregor Zattler schrieb:
> >
> > >Hi Sascha,
> > >* Sascha Kiefer [03. Feb. 2005]:
> > >
> > >
> > >>Have you added %SystemRoot%\System and
> %SystemRoot%\System32 to your
> > >>environment path variable?
> > >>
> > >>
> > >
> > >No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
> > >I set it to
> PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32
> > >
> > >the Problem remained.
> > >
> > >Gregor
> > >
> > >
> > >
> > >
> > >>HTH
> > >>
> > >>Gregor Zattler schrieb:
> > >>
> > >>
> > >>
> > >>>I installed it on Win98se and got an alarm box saying:
> gpg.exe is
> > >>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA.
> > >>>(Message was shown in german, I translated it. For original see
> > >>>attached image).
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >
> >
> >
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From thfrdue at gmx.de Sat Feb 5 16:31:20 2005
From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=)
Date: Sat Feb 5 16:27:19 2005
Subject: "Malformed user id"
Message-ID: <4204E6C8.7090907@gmx.de>
Hi,
|You wrote:
|
|>>everytime I want to encrypt any file/text following error message is
|>>displayed:
|>>
|>>"malformed user id"
|
|
|and Werner replied:
|
|>You used an empty string for a user ID (recipient or signer),
|>it does not match the syntax for a keyid or similar.
|
|
|Amen to you not providing the actual (even if you obfuscate
|the User ID stuff). For example, if I do a "gpg --list-keys"
|I get the following two entries:
|
|pub 1024D/83E13389 1999-09-18 CeTro
|sub 2048g/B0759308 1999-09-18
|
|I can encrypt a file named "Crypt.txt" with the following
|command for "CeTro" with any of the following commands (one
|good example is priceless):
|
|gpg -a --encrypt -r CeTro < Crypt.txt > Crypt.txt.asc
|# or
|gpg -a --encrypt -r 83E13389 < Crypt.txt > Crypt.txt.asc
|# or
|gpg -a --encrypt -r troutman@mesh.net < Crypt.txt > Crypt.txt.asc
|
I tried to encrypt it, but it just created a file named Crypt.txt.asc
, but then the same error message occured ("Malformed user id").
|The -a option (armour) is necessary to send the email to somebody
|else, since it makes the output in printable ASCII characters.
|Don't worry about all of the above three files being different.
|Each time you call GPG, you end up with different encryption
|because the random_seed keeps changing.
|
|If this doesn't clear it up for you, let me know, but I suspect
|it will make EVERYTHING clear.
It's clear to me how it works, but it doesn't as i want. I always get
this errormessage.
Please help, don't know what to do now
Greetz
duelle
Email: thfrdue@gmx.de
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005
From david69 at charter.net Sat Feb 5 19:05:10 2005
From: david69 at charter.net (David)
Date: Sat Feb 5 19:02:29 2005
Subject: RSA subkeys
Message-ID: <20050205180510.GA3229@charter.net>
Thank you atom, Werner and Johan. I will create a RSA 2048 (sign only)
key with RSA 4096 (encrypt) subkey. I understand that most recent PGP
and all recent GPG can handle it.
David
From jharris at widomaker.com Sat Feb 5 18:28:34 2005
From: jharris at widomaker.com (Jason Harris)
Date: Sat Feb 5 19:15:08 2005
Subject: Signing a Key
In-Reply-To: <20050205014605.GA23212@jabberwocky.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
<20050204204831.GD22572@jabberwocky.com>
<20050204235131.GD3466@wilma.widomaker.com>
<20050205014605.GA23212@jabberwocky.com>
Message-ID: <20050205172833.GE3466@wilma.widomaker.com>
On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote:
> On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote:
> 0x11 signatures are also interesting things. When made by people (as
> opposed to robots) they are in effect someone making a public
> statement to say "Hey, look, I made a lousy signature". I can't
> imagine why someone would choose to advertise far and wide how
> terrible their signing policy is, but GnuPG allows people to do stupid
> things if they really want to.
You (continue to) assume _all_ humans who issue 0x11 signatures do so
without employing encrypted challenges?
> > (Thus, GPG's --min-cert-level probably needs to be settable per signer -
> > after reviewing the signer's policies - to account for these differences.)
>
> Your own statistics argue against this. 589 people in the entire
> OpenPGP world actually issued 0x11 signatures. Just 293 people issued
> more than one. Given the number of people using OpenPGP, 293 people
> is a rounding error. That's not worth having a whole new trust model
> for, especially given the serious security ramifications of 0x11
> signatures, be vastly more confusing to new users, and be incompatible
> with PGP to boot.
Even ignoring 0x11 signatures, a 0x12 signature from a given issuer
implies less trust (due to less checking) than a 0x13 signature from
the same issuer. What is the point in (any OpenPGP program) throwing
this extra data away (by ignoring it in trust calculations)?
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050205/446236a6/attachment.pgp
From npcole at yahoo.co.uk Sat Feb 5 18:39:41 2005
From: npcole at yahoo.co.uk (Nicholas Cole)
Date: Sat Feb 5 19:36:21 2005
Subject: Signing a Key
In-Reply-To: <20050205014605.GA23212@jabberwocky.com>
Message-ID: <20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com>
--- David Shaw wrote:
[snip]
> Similarly, by default GnuPG ignores 0x11 signatures.
> Like issuing them, this doesn't stopanyone from
> accepting 0x11 signatures. Any user who cares to
can
> opt-in via "--min-cert-level 1" and accept any
> signatures they like. Given that the whole point of
> an 0x11 signature is to say "I didn't check AT ALL",
> ignoring them by default is safer than accepting
them.
[snip]
Dear David,
Without wishing to question any of the defaults, which
I think make perfect sense, could I just point out
that the man page does not make it clear that level 0
signatures are ALWAYS accepted, regardless of the
min-cert-level? As I read it at the moment, it seems
to suggest that by default level 0 and level 1
signatures are both ignored, which I'm sure is not the
case.
Best,
N.
___________________________________________________________
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
From dshaw at jabberwocky.com Sat Feb 5 20:23:53 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 5 20:20:48 2005
Subject: Signing a Key
In-Reply-To: <20050205172833.GE3466@wilma.widomaker.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
<20050204204831.GD22572@jabberwocky.com>
<20050204235131.GD3466@wilma.widomaker.com>
<20050205014605.GA23212@jabberwocky.com>
<20050205172833.GE3466@wilma.widomaker.com>
Message-ID: <20050205192353.GA4263@jabberwocky.com>
On Sat, Feb 05, 2005 at 12:28:34PM -0500, Jason Harris wrote:
> On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote:
> > On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote:
>
> > 0x11 signatures are also interesting things. When made by people (as
> > opposed to robots) they are in effect someone making a public
> > statement to say "Hey, look, I made a lousy signature". I can't
> > imagine why someone would choose to advertise far and wide how
> > terrible their signing policy is, but GnuPG allows people to do stupid
> > things if they really want to.
>
> You (continue to) assume _all_ humans who issue 0x11 signatures do so
> without employing encrypted challenges?
Sigh.
As I keep saying: if you want to issue 0x11 signatures, go ahead.
Nobody is stopping you. If you want to accept 0x11 signatures, go
ahead. Nobody is stopping you.
Where's the problem? You don't like the defaults? Change them.
> Even ignoring 0x11 signatures, a 0x12 signature from a given issuer
> implies less trust (due to less checking) than a 0x13 signature from
> the same issuer. What is the point in (any OpenPGP program) throwing
> this extra data away (by ignoring it in trust calculations)?
If a user only wants to accept 0x13 signatures, that is their decision
to make, via --min-cert-level 3. The default behavior in GnuPG is to
accept both 0x12 and 0x13 (and 0x10, of course).
David
From atom at smasher.org Sat Feb 5 20:31:23 2005
From: atom at smasher.org (Atom Smasher)
Date: Sat Feb 5 20:27:24 2005
Subject: Signing a Key
In-Reply-To: <20050205172833.GE3466@wilma.widomaker.com>
References: <42039DA9.8020306@intertivity.com>
<20050204181714.71249.qmail@smasher.org>
<20050204183143.GB3110@dantooine>
<20050204183905.GC22572@jabberwocky.com>
<20050204195707.GC3466@wilma.widomaker.com>
<20050204204831.GD22572@jabberwocky.com>
<20050204235131.GD3466@wilma.widomaker.com>
<20050205014605.GA23212@jabberwocky.com>
<20050205172833.GE3466@wilma.widomaker.com>
Message-ID: <20050205193112.3303.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, 5 Feb 2005, Jason Harris wrote:
> Even ignoring 0x11 signatures, a 0x12 signature from a given issuer
> implies less trust (due to less checking) than a 0x13 signature from the
> same issuer. What is the point in (any OpenPGP program) throwing this
> extra data away (by ignoring it in trust calculations)?
=====================
i don't know about anyone else, but i reserve 0x13 sigs for people i
*know*, usually for some length of time.
if i meet someone at a keysigning party and they show me some
identification with a picture that looks like them, that earns a 0x12 from
me. i have no idea who they *really* are, but they have gone through the
trouble of showing me some identification that looks like them. OTOH if my
brother, or someone who i've known personally for a several years wants me
to sign their key, they're more likely to _earn_ a 0x13 sig from me.
to me, that fits the definition of "casual" and "extensive" verification.
if i board a plane and they look at my identification, i wouldn't call
that an "extensive" check.
of course, the system does encourage people to do what makes sense for
them. there isn't necessarily a wrong way to issue sigs... as long as
there's a defensible reasoning for it, everyone can choose for them self
how to define "casual" and "extensive".
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"A good many observers have remarked that if
equality could come at once the Negro would
not be ready for it. I submit that the
white American is even more unprepared."
-- Martin Luther King, Jr.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCBR8WAAoJEAx/d+cTpVciK2YH/2cByYzBVMZTK42Jl6vtk8gf
wl4PqGSsKOCkoce83YKz+kVZrJjR9gbAZwZ9QYAi4SIKSNcewswhk11FIw2ag5d5
itkOYDVNM2ec4L+VhyL/FPsn93kqbrhY0smKM9R2AnBaiNcvnGp44Mkyg+gZs+bd
QOr7Xzsf2w4s+aj239qtuVIbQ86QIhSXpq8fFp7m3TnOSFUzhdtXqsJhDk0efCJ7
K8IrOl4RclPj47BrcalotKgsZbgt2lhjXQQstSD+5i6d1fSGBZ/NoLCqgWo8IhiQ
iACNoPBE7UmAWurdMEp+7J1kT2cj1lowNu06WFrWTBw3MG/PxPNdOOf/cm6OJEU=
=RDYU
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sat Feb 5 20:38:18 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 5 20:35:01 2005
Subject: Signing a Key
In-Reply-To: <20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com>
References: <20050205014605.GA23212@jabberwocky.com>
<20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com>
Message-ID: <20050205193818.GB4263@jabberwocky.com>
On Sat, Feb 05, 2005 at 05:39:41PM +0000, Nicholas Cole wrote:
> --- David Shaw wrote:
>
> [snip]
>
> > Similarly, by default GnuPG ignores 0x11 signatures.
> > Like issuing them, this doesn't stopanyone from
> > accepting 0x11 signatures. Any user who cares to
> can
> > opt-in via "--min-cert-level 1" and accept any
> > signatures they like. Given that the whole point of
> > an 0x11 signature is to say "I didn't check AT ALL",
> > ignoring them by default is safer than accepting
> them.
>
> [snip]
>
> Dear David,
>
> Without wishing to question any of the defaults, which
> I think make perfect sense, could I just point out
> that the man page does not make it clear that level 0
> signatures are ALWAYS accepted, regardless of the
> min-cert-level? As I read it at the moment, it seems
> to suggest that by default level 0 and level 1
> signatures are both ignored, which I'm sure is not the
> case.
You're right. The manual is misleading on this point. I'll fix it.
David
From atom at smasher.org Sat Feb 5 21:35:41 2005
From: atom at smasher.org (Atom Smasher)
Date: Sat Feb 5 21:31:50 2005
Subject: Howto multiple mail accts.
In-Reply-To: <9d7e2bf905020500264adbfe92@mail.gmail.com>
References: <9d7e2bf905020500264adbfe92@mail.gmail.com>
Message-ID: <20050205203528.74659.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, 5 Feb 2005, Toni wrote:
> I'm new to gpg and have some doubts I could not google. Please direct me
> to a FAQ / HOWTO / etc if such document exists:
>
> I have several mail accounts, some personal, some for work, etc. I have
> seen three possibilities to deal with this:
>
> - Add multiple UIDs to my main key
> - Have multiple signing subkeys
> - Have secondary "complete" keys signed by my main key.
>
> I've been reading the pros/cons of each aproach and can't make up my
> mind to what is the best approach.
>
> Right now I thinnk the best would be to have a main key, with no e-mail
> at all and use this to sign other keys, one for each mail account.
>
> What do you think?
===========================
if it's no secret that all of the accounts belong to you, then a single
key with multiple UIDs is probably the best thing. it's certainly the
easiest.
if you don't want people to immediately know that all of the accounts
belong to you, then use multiple keys.
i have 3 keys that are publicly distributed. one for business and
professional correspondence, one for casual correspondence and one for an
address (read: identity) that i don't share with too many people.
on my casual correspondence key i have 2 UIDs. it's no secret that i
control both of those mailboxes.
if your multiple accounts require your key(s) to be stored on machines
that you don't own/admin (such as a company computer) then you should
consider multiple keys/subkeys.
if you decide to use multiple subkeys this might help -
http://fortytwo.ch/gpg/subkeys
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"We don't know if lobsters feel pain... [but] since
pain is a perception, we often don't know whether
people feel it either"
-- Prof. Edward Kravitz,
Harvard Medical School
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCBS4nAAoJEAx/d+cTpVcipBYH/3C2SCZ1nWhDjEYRsNhwhCg8
YH4+R4J1F8wv30/Lo+09JOMngnSsith/YpmI4ywz8QhQedUCqKlT7jczsm+natRD
Zem93ystFdgJp1SIPgT+HP0b1N9auwAlNxg9D+1YSKAGi7xB2F1siJrs/ohVmHZe
/vfi5UqN246y5m3KSTo9pGZG3e2RkWSuOJdXe94h1Hzg+F3b5bl/WEaAI27GnsNy
wxJgiP1xP2BLT+69lT23pA/QCbaYQ2hQaDRhY1OttWfuow1Iy8fjNlbHF2cme/ls
9SRedOeoGuMK9Mvjw85FxsTCG8HhfOThdvtQi7+O0b0yWpmWsiVXnlF2OoAlShY=
=D/2R
-----END PGP SIGNATURE-----
From wesley.tabadore at gmail.com Sun Feb 6 00:29:27 2005
From: wesley.tabadore at gmail.com (Wesley Tabadore)
Date: Sun Feb 6 01:25:35 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
Message-ID:
Hi,
I'm new to GPG and encryption in general and trying to figure out the
strongest way to encrypt files (less than 100 megs in size). Speed is
not at all a concern, strength of the encryption is the most critical
thing.
I would like to encrypt some files symmetrically and other files
asymmetrically, so I am trying to understand the strength of both
methods.
Based on the research I have done thus far, I undertand that in both
cases, I need to ensure the passphrases are strong. Having long
passphrases is not an issue. I am inclined to use the DiceWare method
to generate the passphrases. Any comments on this method?
Symmetric encryption: Which current GPG Hash and Cypher Algorithm are
the strongest and how many bits of entropy (or DiceWare words) would
my passphrase have to contain in order to gain the most benefit from
this Hash/Cypher Algorithm combination?
Asymmetric encryption: What type of key should I generate and how do I
choose the strongest Hash and Cypher Algorithm when encrypting files?
Also how long should my passphrase be (bits of entropy or DiceWare
words) in order to gain the most benefit in security from this scheme?
Thanks in advance,
Wes
From dany_list at natzo.com Sun Feb 6 15:01:14 2005
From: dany_list at natzo.com (Dany Nativel)
Date: Sun Feb 6 14:57:34 2005
Subject: GnuPG 1.4.1rc1 + Smart Card reader package for Knoppix/Kanotix
In-Reply-To: <42028CB1.4050509@natzo.com>
References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com>
Message-ID: <4206232A.90005@natzo.com>
Hello,
In a previous post (Any LiveCD with GnuPG 1.4?) I was asking about a
potential LiveCD that supports Gnupg 1.4 (at least).
Thanks everyone for the valuable comments you've provided.
I received a private email from David Lorch suggesting recompiling gpg
and associated libraries under Knoppix by mounting some ramdisk.
I kind of tried but it didn't go very far. Finally I found a way to get
gpg 1.4.1rc1 to run under Knoppix without much hassle (using a SCM
SCR331 reader which has a driver built-in gnupg). In fact it was as easy
as ./configure and make !
I then added additional drivers for various readers using the Klik
technology. In the end I had a handy package that contained gpg1.4.1rc1
as well as drivers that I could carry around and use with almost any
Knoppix/Kanotix LiveCD. This is very convenient when it comes to key
generation (on-card for example with off-card backup for example).
1) Boot from Knoppix CD (3.7 12/08) or even better from Kanotix BH X
IMPORTANT : for Knoppix I only used boot: knoppix26 .... I couldn't
get most of my USB peripherals to work with regule knoppix (2.4).
Kanotix is 2.6 by default so no problems.
2) Download and extract gnupg-1.4.1-rc from
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 for
example in your home directory (/home/knoppix)
3) Compile GnuPG
cd ~/gnupg-1.4.1rc1
./configure
make
the executable is available in ~/gnupg-1.4.1rc1/g10
4) Smart Card Reader
a) CCID reader directly supported by gnupg (e.g. USB SCM SCR331)
Nothing to do ... just use it : ~/gnupg-1.4.1rc1/g10/gpg --card-status
b) CCID reader supported by libccid (see
http://pcsclite.alioth.debian.org/ccid.html for a list of supported readers)
I've used it with the Gemplus GemTwin USB.
In order to use libccid you need the pcscd which can be downloaded as a
"klik" application for Knoppix.
Knoppix users you need an extra step to get the klik client up and
running (Kanotix users... go to the next step):
# Press Alt-F2 and paste:
# wget klik.atekon.de/client/install -O -|sh
Go to the following address
http://klik.atekon.de/details.php?section=misc&package=pcscd and
"klik" to install
or
even faster open a web browser and enter : klik://pcscd
Now killall pcscd session that may have been opened during the
installation process. I noticed that the pcscd would only work if
launched with debug options.
This pcscd packages includes the libccid drivers by default so it's
ready to go.
Unfortunately gnupg is looking for libpcslite.so so a link has to be
created :
ln /tmp/klik/pcscd/usr/lib/libpcsclite.so.1
/tmp/klik/pcscd/usr/lib/libpcsclite.so
Now it's time to start the pcscd from the command line (not the icon on
your desktop)
/tmp/klik/pcscd/wrapper pcscd -af
NB: this worked fine under Knoppix but not under Kanotix, sudo
/tmp/klik/pcscd/wrapper pcscd -af solved the problem
Before starting gpg you need to set the path to libpcsclite.so :
export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH
You can now start gnupg but remember that if you're using a CCID reader
not supported by GnuPG itself you must disable ccid when calling GnuPG
so it won't try to talk to the reader directly. For example the GemTwin
will fail if not started with the extra option.
~/gnupg-1.4.1rc1/g10/gpg --card-status --disable-ccid
NB: SCR331 can also be used with libccid (it's supported by both gnupg
and libccid)
c) Other Smart Card readers
If none of your reader is supported by the above solutions you need to
install an additional driver.
Klik provides a convenient way to download precompiled drivers. Below is
a list of available drivers:
- libasedrive-serial | PC/SC driver for the Athena ASEDrive IIIe serial
smart card reader
- libasedrive-usb | PC/SC driver for the Athena ASEDrive IIIe USB smart
card reader
- libcteco50000 | Orga Eco 5000 smartcard reader PCSC and CT-API driver
- libetoken | PC/SC Driver for Aladdin's eToken usb plug
- libgcr410 | PC/SC driver for GemPlus GCR410 serial SmartCard interface
- libgempc410 | PC/SC driver for the GemPC 410, 412, 413 and 415 smart
card readers
- libgempc430 | PC/SC driver for the GemPC 430, 432, 435 smart card readers
- libslbreflex2 | Reflex 62/64 smartcard reader PCSC and CT-API driver
- libtowitoko2 | Towitoko smartcard reader PCSC and CT-API driver
Example : USB Towitoko Chipdrive Micro 130
After "kliking" on libtowitoko2
(http://klik.atekon.de/details.php?section=libs&package=libtowitoko2)
you'll find a new directory under /temp/klik called towitoko2
The drivers files need to be placed under the pcscd directory and
according to a specific directory organization
mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle
mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents
mkdir
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux
cp /tmp/klik/libtowitoko2/usr/lib/libtowitoko.so.2.0.0
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux
cp /tmp/klik/libtowitoko2/usr/share/towitoko/Info.plist
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents
and then start pcscd the same way :
/tmp/klik/pcscd/wrapper pcscd -af (with sudo if using Kanotix)
Don't forget to set the path to libpcsclite.so before running gnupg :
export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH
~/gnupg-1.4.1rc1/g10/gpg --card-status
NB: Serial reader may also be used but they'll need a little bit more
tweaking for properly configuring the serial port and so on. I tried to
play a little bit with the GCR415 without success.
5) Conclusion
Now that you've got your reader up and running you probably don't want
to go to this process next time you're booting from Knoppix/Kanotix.
The only thing you need to save (on a USB drive for example) is the
/tmp/klik directory and gpg executable files
You can also use the convenient persistent home directory and just move
the klik to it so it will be available all the time. Don't forget to
adjust the export LD_LIBRARY_PATH accordingly !
I've packaged a pre-compiled gpg-1.4.1rc1, pcsd (including libccid) and
towitoko driver so you can just extract it under /home/knoppix and
follow the instructions found in the short readme file.
The file can be downloaded from http://natzo.com/klik-gpg1.4.1rc1.tar.gz
This should help users seeking to generate their keys on-card and save a
backup copy off-card. For more security you should probably recompile
gpg yourself (it doesn't take that long). One could also disable network
connections (Knoppix sets them up automatically) and use encrypted swap
file (especially if swap is mounted on a hdd).
Dany
From henkdebruijn at wanadoo.nl Sun Feb 6 17:41:36 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Sun Feb 6 17:37:45 2005
Subject: [Announce] release candidate for 1.4.1 available
In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de>
References: <87fz0dhnjp.fsf@wheatstone.g10code.de>
Message-ID: <1147928909.20050206174136@wanadoo.nl>
> We are pleased to announce the availability of a release candidate for
> the forthcoming 1.4.1 version of gnupg:
> A binary for Windows is also available:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe
> (1377k)
> Please try these versions out and report any problems. The installer
> used for the Windows binary package is pretty basic right now but
> nevertheless a first step. In particular, selecting the language to
> use still needs manual interaction. We hope to improve it over time.
Up and running like a charm!
--
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
From wk at gnupg.org Sun Feb 6 19:47:02 2005
From: wk at gnupg.org (Werner Koch)
Date: Sun Feb 6 19:46:25 2005
Subject: "Malformed user id"
In-Reply-To: <4204E6C8.7090907@gmx.de> (
=?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Sat, 05 Feb 2005
16:31:20 +0100")
References: <4204E6C8.7090907@gmx.de>
Message-ID: <87mzuh8r15.fsf@wheatstone.g10code.de>
On Sat, 05 Feb 2005 16:31:20 +0100, Thomas F D?llmann said:
> I tried to encrypt it, but it just created a file named Crypt.txt.asc
> , but then the same error message occured ("Malformed user id").
What is the content of your gpg.conf?
Shalom-Salam,
Werner
From thfrdue at gmx.de Sun Feb 6 20:06:45 2005
From: thfrdue at gmx.de (=?UTF-8?B?IlRob21hcyBGLiBEw7xsbG1hbm4i?=)
Date: Sun Feb 6 20:02:40 2005
Subject: "Malformed user id"
In-Reply-To: <87mzuh8r15.fsf@wheatstone.g10code.de>
References: <4204E6C8.7090907@gmx.de> <87mzuh8r15.fsf@wheatstone.g10code.de>
Message-ID: <42066AC5.9030702@gmx.de>
Werner Koch schrieb:
>On Sat, 05 Feb 2005 16:31:20 +0100, Thomas F D?llmann said:
>
>
>
>>I tried to encrypt it, but it just created a file named Crypt.txt.asc
>>, but then the same error message occured ("Malformed user id").
>>
>>
>
>What is the content of your gpg.conf?
>
>
>
>
Here the content of the gpg.conf:
default-key # ********* // both keys are
the same
encrypt-to # ********
keyserver-options auto-key-retrieve
photo-viewer C:\Programme\GPGshell\gpgview.exe %i /title 0x%k
#load-extension Lib\idea
# keyserver ldap://pgp.surfnet.nl:11370
# keyserver ldap://keyserver.pgp.com:11370
# keyserver ldap://certserver.pgp.com
keyserver x-hkp://keyserver.kjsl.com
keyserver x-hkp://pgp.dtype.org
keyserver x-hkp://pgp.mit.edu
keyserver x-hkp://pks.gpg.cz
keyserver x-hkp://random.sks.keyserver.penguin.de
keyserver x-hkp://pgpkeys.pca.dfn.de
Thank You
Thomas
Email: thfrdue@gmx.de
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005
From jharris at widomaker.com Mon Feb 7 02:50:48 2005
From: jharris at widomaker.com (Jason Harris)
Date: Mon Feb 7 02:47:56 2005
Subject: new (2005-02-06) keyanalyze results (+sigcheck)
Message-ID: <20050207015048.GF3466@wilma.widomaker.com>
New keyanalyze results are available at:
http://keyserver.kjsl.com/~jharris/ka/2005-02-06/
Signatures are now being checked using keyanalyze+sigcheck:
http://dtype.org/~aaronl/
Earlier reports are also available, for comparison:
http://keyserver.kjsl.com/~jharris/ka/
Even earlier monthly reports are at:
http://dtype.org/keyanalyze/
SHA-1 hashes and sizes for all the "permanent" files:
4f90c2b998d6a2946b400223ef4f136f5145d103 11308176 preprocess.keys
018fa151a214140f7ce50ec594e57fb763309532 7147601 othersets.txt
b08526172e2d1791045cb93afded087be803719d 2864126 msd-sorted.txt
ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html
5ab2a52c9bec6696be6a4c990c2f3354a6e98cce 2290 keyring_stats
3fc4462b3381802c07c897db2072b6b357a4f236 1126947 msd-sorted.txt.bz2
8c088e5ea0bf51e74d980c8836839f3b71b38ac1 26 other.txt
9afec2c9f388a23ed3135f44ad8bbb8af0bbac28 1536770 othersets.txt.bz2
0ed0596f5a988a58c49043859bd7a819440b27fb 4568885 preprocess.keys.bz2
0f30f51d498009716976eaee8dd7fbf4f7566a4f 11268 status.txt
442b8444c261e6a8813834c98b61332c5dc91e4e 211730 top1000table.html
d3a67e0ad9404f19ef60c34290459a5a02903940 30452 top1000table.html.gz
216624310787e93b5f7b6eeb0ebfc363e32b431b 10997 top50table.html
6b55bc800c591e0057e14163bc5d7770ce2e8d3e 2369 D3/D39DA0E3
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050206/bd0393f0/attachment.pgp
From atom at smasher.org Mon Feb 7 07:00:06 2005
From: atom at smasher.org (Atom Smasher)
Date: Mon Feb 7 06:56:05 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To:
References:
Message-ID: <20050207055949.17827.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, 5 Feb 2005, Wesley Tabadore wrote:
> I'm new to GPG and encryption in general and trying to figure out the
> strongest way to encrypt files (less than 100 megs in size). Speed is
> not at all a concern, strength of the encryption is the most critical
> thing.
==================
there are no weak algorithms in pgp/gpg. even the "weakest" algorithms
should be fine against any attack that can currently be mounted against
them.
> I would like to encrypt some files symmetrically and other files
> asymmetrically, so I am trying to understand the strength of both
> methods.
====================
the strength of symmetric encryption is that you don't need to keep a key
in a file. all you need to do is remember the passphrase and you will
always be able to decrypt your data.
the strengths of asymmetric encryption are unattended encryption (you
don't have to type a passphrase to encrypt) and secure communication
across an insecure channel (such as the internet) between 2 or more
parties.
> Based on the research I have done thus far, I undertand that in both
> cases, I need to ensure the passphrases are strong. Having long
> passphrases is not an issue. I am inclined to use the DiceWare method
> to generate the passphrases. Any comments on this method?
========================
diceware is good. more info on other techniques -
http://atom.smasher.org/links/#passwords
> Symmetric encryption: Which current GPG Hash and Cypher Algorithm are
> the strongest and how many bits of entropy (or DiceWare words) would my
> passphrase have to contain in order to gain the most benefit from this
> Hash/Cypher Algorithm combination?
=======================
hashing is rarely done with symmetric encryption (except as part of the
s2k process). in a way, knowing the passphrase *is* authentication (and in
another way, it isn't).
(all other factors being equal) the bigger the passphrase, the more
protection. the question you should ask is "what size passphrase is
sufficient for the secrets i want to keep?" check out these sections of
the diceware FAQ -
How long should my passphrase be?
http://world.std.com/~reinhold/dicewarefaq.html#howlong
What if I want a passphrase with full 128-bit security?
http://world.std.com/~reinhold/dicewarefaq.html#128-bit
> Asymmetric encryption: What type of key should I generate and how do I
> choose the strongest Hash and Cypher Algorithm when encrypting files?
> Also how long should my passphrase be (bits of entropy or DiceWare
> words) in order to gain the most benefit in security from this scheme?
===========================
the key types and algorithm preferences, if you don't use the defaults,
should be based on your latest research and suspicions of what information
you have. some people don't like 3DES... other people don't like
BLOWFISH/TWOFISH... i don't like AES... at the end of the day, none of the
algorithms are broken, or even close to being broken, but many of us have
our favorites. only your research and/or crystal ball will dictate which
algorithms you decide to trust most, or not at all.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"I have presented factual data, statistical data, and
projected data. Form your own conclusions. Perhaps the
NSA has found a polynomial-time (read: fast) factoring
algorithm. But we cannot dismiss an otherwise secure
cryptosystem due to paranoia. Of course, on the same
token, we cannot trust cryptosystems on hearsay or
assumptions of security. Bottom line is this: in the
field of computer security, it pays to be cautious. But
it doesn't pay to be un-informed or needlessly paranoid.
Know the facts."
-- infiNity, The PGP Attack FAQ
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCBwP0AAoJEAx/d+cTpVci9TUH+wfLOJoyiK4TLrqYCDf6fFre
6iut7IoVGIzAocwR9WRDxH8+6oZX2u+8QNQA1Y+X8O6b1WUH0T0DRX0EOAuI9y97
QiO0pv0/IcMS52RzOYDnc4OzDEmmnu+qYBHE4ePqBgK8tzsqPEWswrfkmZjDQq5A
3ljXF4jOYFlj3bl203aiqV5rovTgQd3VfDVY95V5eaTSPI/QWWMFIYT704iRceMb
WMVltunszkbV8xMZJUFTsgcyS0YQ5OablVZmkWwxaRkQ778+EtM+C9Vo41xD9xTx
ivJetPxeCjeSWf446LTPgpM3i8/H3p20RmGapJjwcS0wVVl7o4/4ga1Zz0vZOzE=
=W93E
-----END PGP SIGNATURE-----
From ms419 at freezone.co.uk Mon Feb 7 05:52:00 2005
From: ms419 at freezone.co.uk (ms419@freezone.co.uk)
Date: Mon Feb 7 07:35:56 2005
Subject: "http" & "finger" keyserver schemes
Message-ID: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
I don't get how to receive keys using using the "http" & "finger"
keyserver schemes.
I tried some variations on -
gpg --keyserver finger:wk@g10code.com --recv-keys
gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc"
--recv-keys
- but nothing I tried worked. Receiving keys from "ldap" or "hkp"
keyservers is no problem -
gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie
gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell
Frustratingly, I couldn't find examples on the web or in the
documentation of using "http" or "finger" keyserver schemes. Can anyone
help?
Thanks!
Jack
From list at rachinsky.de Mon Feb 7 08:39:27 2005
From: list at rachinsky.de (Nicolas Rachinsky)
Date: Mon Feb 7 08:35:35 2005
Subject: "http" & "finger" keyserver schemes
In-Reply-To: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
Message-ID: <20050207073927.GA27995@pc5.i.0x5.de>
* ms419@freezone.co.uk [2005-02-06 20:52 -0800]:
> I don't get how to receive keys using using the "http" & "finger"
> keyserver schemes.
>
> I tried some variations on -
>
>
> gpg --keyserver finger:wk@g10code.com --recv-keys
>
> gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc"
> --recv-keys
You have to add an keyid.
gpg --keyserver http://www.rachinsky.de/nicolas/pgp/nicolas_rachinsky.asc --recv 12345678
Works fine here.
Nicolas
From devegades at gmail.com Mon Feb 7 11:37:01 2005
From: devegades at gmail.com (Toni)
Date: Mon Feb 7 11:33:30 2005
Subject: Howto multiple mail accts.
In-Reply-To: <20050205203528.74659.qmail@smasher.org>
References: <9d7e2bf905020500264adbfe92@mail.gmail.com>
<20050205203528.74659.qmail@smasher.org>
Message-ID: <9d7e2bf9050207023749c96b94@mail.gmail.com>
On Sat, 5 Feb 2005 15:35:41 -0500 (EST), Atom Smasher wrote:
> On Sat, 5 Feb 2005, Toni wrote:
>
> > I have several mail accounts, some personal, some for work, etc.
>
> if it's no secret that all of the accounts belong to you, then a single
> key with multiple UIDs is probably the best thing. it's certainly the
> easiest.
Yes, I was considering this approach for my work accounts. With those
it can even be good to publicize the other accounts. The question is
what happens when you change project / client / etc and are given a
new mail address? Do you need everybody to resign your key or does it
suffice to add / delete UIDs?
> if you don't want people to immediately know that all of the accounts
> belong to you, then use multiple keys.
Yes, that's why I wanted to have a master and several other keys. Even
if it would be easy for the knowledgeable to find out all addresses I
have, it would not be evident for the casual spammer.
> i have 3 keys that are publicly distributed. one for business and
> professional correspondence, one for casual correspondence and one for an
> address (read: identity) that i don't share with too many people.
>
> on my casual correspondence key i have 2 UIDs. it's no secret that i
> control both of those mailboxes.
Similar to my situation.
> if you decide to use multiple subkeys this might help -
> http://fortytwo.ch/gpg/subkeys
Yes, I had already seen this. To my novice eyes it seems to much of
twiddling. Maybe when I have some more experience I'll give it another
look.
Thanks for your comments.
--
Toni
From dshaw at jabberwocky.com Mon Feb 7 14:19:30 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon Feb 7 14:16:14 2005
Subject: "http" & "finger" keyserver schemes
In-Reply-To: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
Message-ID: <20050207131930.GA29857@jabberwocky.com>
On Sun, Feb 06, 2005 at 08:52:00PM -0800, ms419@freezone.co.uk wrote:
> I don't get how to receive keys using using the "http" & "finger"
> keyserver schemes.
>
> I tried some variations on -
>
>
> gpg --keyserver finger:wk@g10code.com --recv-keys
>
> gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc"
> --recv-keys
>
>
> - but nothing I tried worked. Receiving keys from "ldap" or "hkp"
> keyservers is no problem -
>
>
> gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie
>
> gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell
>
>
> Frustratingly, I couldn't find examples on the web or in the
> documentation of using "http" or "finger" keyserver schemes. Can anyone
> help?
http and finger schemes are most useful for putting in preferred
keyserver URLs so the key can be automatically refreshed. They're not
really intended for use on the command line, but it's possible to fool
the system into working on the command line by doing something like:
gpg --keyserver finger:the_finger@example.com --recv-keys 99999999
i.e. "receive key 99999999 from finger:the_finger@example.com". The
key that arrives probably won't be 99999999, but it'll arrive anyway.
David
From mconahan at iotest.org Mon Feb 7 19:31:45 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Mon Feb 7 19:28:04 2005
Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
In-Reply-To: <000e01c50b05$19144cf0$f300a8c0@HOME>
References: <000e01c50b05$19144cf0$f300a8c0@HOME>
Message-ID: <4207B411.8000400@iotest.org>
Kiefer, Sascha wrote:
Yes, I knew that, but thanks for your response. There was another
responder who recommended that I should obtain the Enigmail (or Mutt)
source, and view how those apps process rfc 3156 (PGP/MIME) messages.
I'm taking that approach...I'm currently upgrading my environment with
the requisites (Mozilla 1.7.x/Gnu PG 1.4), before compiling and
installing Enigmail.
>Well, you have to build the MIME structure yourself.
>As far as i know GnuPG does not know about MIME in particular.
>Have fun.
>
>esskar
>
>
>
>>-----Original Message-----
>>From: gnupg-users-bounces@gnupg.org
>>[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of
>>mconahan@iotest.org
>>Sent: Freitag, 4. Februar 2005 22:38
>>To: gnupg-users@gnupg.org
>>Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
>>
>>
>>Does anyone know how to create a RFC 3156 compliant PGP encrypted
>>message with Gnu PG? I am building an app that is making use
>>of the Gnu
>>PG functionality, and I am having some trouble getting other PGP apps
>>(said to be 3156 compliant) to accept it. I have read both
>>RFC 3156 and
>>2015, and I seem to be missing something, since it isn't working.
>>
>>Does anyone know of tutorial site, or has a script that creates a RFC
>>3156 compliant message? Any help would be appreciated.
>>
>>
>>_______________________________________________
>>Gnupg-users mailing list
>>Gnupg-users@gnupg.org
>>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>>
>>
>
>
>
>
From mconahan at iotest.org Mon Feb 7 22:01:55 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Mon Feb 7 21:58:25 2005
Subject: Creating a RFC3156 compliant encrypted message with Gnu PG
In-Reply-To: <4203F2AA.2030909@comcast.net>
References: <4203EB49.20604@iotest.org> <4203F2AA.2030909@comcast.net>
Message-ID: <4207D743.9000907@iotest.org>
John Clizbe wrote:
> mconahan@iotest.org wrote:
>
> >Does anyone know how to create a RFC 3156 compliant PGP encrypted
> >message with Gnu PG? I am building an app that is making use of the Gnu
> >PG functionality, and I am having some trouble getting other PGP apps
> >(said to be 3156 compliant) to accept it. I have read both RFC 3156 and
> >2015, and I seem to be missing something, since it isn't working.
>
> >Does anyone know of tutorial site, or has a script that creates a RFC
> >3156 compliant message? Any help would be appreciated.
>
>
> Check the source code for Enigmail or Mutt.
>
> --
> John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
> GingerBear Consluting PGP/GPG KeyID: 0x608D2A10
> "what's the key to success?" / "two words: good decisions."
> "what's the key to good decisions?" / "one word: experience."
> "how do i get experience?" / "two words: bad decisions."
>
> "Just how do the residents of Haiku, Hawai'i hold conversations?"
Thanks. I'll look into it.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From rmalayter at bai.org Mon Feb 7 22:01:45 2005
From: rmalayter at bai.org (Ryan Malayter)
Date: Mon Feb 7 21:58:34 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
Message-ID: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
[From Atom Smasher]
> i don't like AES...
None of the papers I've read suggest anything close to an attack that is
better than brute-force on full-round AES. Although, I have seen some in
the crypto field complain Rijndael is just "too simple" to be secure. Of
course, the same was said about RC4 many years ago, and AFAIK there are
still no attacks better than brute force against the RC4 algorithm
itself (protocol issues in WEP don't count).
Just to edjumacate myself, as W. would say, what are your reasons for
disliking AES? I've been using it more and more frequently for VPNs I
set up when there is no hardware crypto assist available, since the CPU
utilization is so much lower than with 3DES.
I just want to make sure I'm not missing something. Did anything "scary"
come out about AES recently?
Regards,
Ryan
From atom at smasher.org Mon Feb 7 22:05:56 2005
From: atom at smasher.org (Atom Smasher)
Date: Mon Feb 7 22:01:28 2005
Subject: OT - pgp art
Message-ID: <20050207210516.36506.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
some pgp artwork/wallpaper - http://www.deviantart.com/deviation/14884064/
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"MEATLESS" - US government standards allow the use of the
word "Meatless" to allow up to 2% animal product and/or
meat content.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCB9g6AAoJEAx/d+cTpVciBPgH/3xanEYM0pjhox+TMH1fdY2s
8Nj+S39u1hFP1sQBy86jLpf1W8q0yZAL2okH6XyiChUmJ5rb649McDKSPnV9MycI
Ayg8v4YM5ScPQfp6dEOqtfcQYm7d7OMGZ6ipI5iddeqZ5AE9QNu6tj0hgzC4cjKQ
lboDuEk3qmianj6bcVMMRtoOoeB+xlYyMKJcCX6dNIAj1JkVkwcdT3gSJKxrNXYL
tS2NV65WT34rdOPNo2hw1xYiUl2BN8Fri+iBRgyhN4QPidv9A10MkhPemwNe2aSQ
3Y/oMySjBsujLHCfepIu6TJqjuSLSmPVO49cWD3raFSzKtW62nBm84XGa27skNk=
=h8Uo
-----END PGP SIGNATURE-----
From atom at smasher.org Mon Feb 7 22:37:09 2005
From: atom at smasher.org (Atom Smasher)
Date: Mon Feb 7 22:32:43 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
Message-ID: <20050207213634.55149.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 7 Feb 2005, Ryan Malayter wrote:
> [From Atom Smasher]
>> i don't like AES...
>
> None of the papers I've read suggest anything close to an attack that is
> better than brute-force on full-round AES. Although, I have seen some in
> the crypto field complain Rijndael is just "too simple" to be secure. Of
> course, the same was said about RC4 many years ago, and AFAIK there are
> still no attacks better than brute force against the RC4 algorithm
> itself (protocol issues in WEP don't count).
===================
there have been several succesful attacks against against RC4, but only
when it's incorectly implemented. the lesson here is that some good
algorithms are weakly implemented... some algorithms are difficult to
implement correctly. i think elgamal for signatures falls into that
category.
> Just to edjumacate myself, as W. would say, what are your reasons for
> disliking AES? I've been using it more and more frequently for VPNs I
> set up when there is no hardware crypto assist available, since the CPU
> utilization is so much lower than with 3DES.
================
http://en.wikipedia.org/wiki/AES#Security
Some cryptographers worry about the security of AES. They feel
that the margin between the number of rounds specified in the cipher and
the best known attacks is too small for comfort. The risk is that some way
to improve these attacks might be found and that, if so, the cipher could
be broken. In this meaning, a cryptographic "break" is anything faster
than an exhaustive search, so an attack against 128-bit key AES requiring
'only' 2120 operations would be considered a break even though it would
be, now, quite infeasible. In practical application, any break of AES
which is only this 'good' would be irrelevant. For the moment, such
concerns can be ignored. The largest publically-known brute-force attack
has been against a 64 bit RC5 key by distributed.net.
Another concern is the mathematical structure of AES. Unlike most
other block ciphers, AES has a very neat mathematical description [2]
(http://www.macfergus.com/pub/rdalgeq.html), [3]
(http://www.isg.rhul.ac.uk/~sean/). This has not yet led to any attacks,
but some researchers are worried that future attacks may find a way to
exploit this structure.
In 2002, a theoretical attack, termed the "XSL attack", was
announced by Nicolas Courtois and Josef Pieprzyk, showing a potential
weakness in the AES algorithm. It seems that the attack, if the
mathematics is correct, is not currently practical as it would have a
prohibitively high "work factor". There have been claims of considerable
work factor improvement, however, so the attack technique might become
practical in the future. On the other hand, several cryptography experts
have found problems in the underlying mathematics of the proposed attack,
suggesting that the authors have made a mistake in their estimates.
Whether this line of attack can be made to work against AES remains an
open question. For the moment, as far as is publicly known, the XSL attack
against AES is speculative; it is unlikely that anyone could carry out the
current attack in practice.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"There is no such thing at this date of the world's history in
America as an independent press. You know it, and I know it.
There is not one of you who dares to write his honest
opinion, and if you did, you know beforehand it would never
appear in print. I am paid weekly for keeping my honest
opinion out of the paper. Others of you are paid similar
salaries for similar things. And any of you who would be so
foolish as to write honest opinions would be out on the
streets looking for another job.
"If I allow my honest opinions to appear in one issue of my
paper, before 24 hours, my occupation would be gone. The
business of the journalist is to destroy the truth, to lie
outright, to pervert, to vilify, to fawn at the feet of
Mammon and to sell his country and his race for his daily
bread. You know it, and I know it, and what folly is this
toasting an independent press? We are the tools and the
vassals of rich men behind the scenes. We are the jumping
jacks. They pull the strings, and we dance. Our talents, our
possibilities and our lives are all the property of other men.
"We are intellectual prostitutes."
-- John Swinden, 1953, then head of the New York
Times, when asked to toast an independent press
in a gathering at the National Press Club.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCB9+NAAoJEAx/d+cTpVcitjgH/3OVMpY8QXblFfvrmeaG86/A
ZJ7H+eqbMKKtIWexYpcthlNdbm2le9TNdx0b5BhiWVJot0R+8XncMYvLtP5z/dMR
WdowPoZ2f1EzpXDOwLS4rTEQG7GgcJnSYTBch9ow7A3D03z4XG8Q6wVla2Gn1Sum
JpmnL2Wm/aC6y/iK+JCy1s9Psq3yka+yuo+8vPJd4t3vZnwKZFMLs2TuJUqpMHiT
ocooXsjKPIPADxvg+0b5W+iDUs/dBvX3Y/Q+wG5HoD/x34pcyBTnaib/XEqF7N0I
OH/Gw16DB7CA69dzOtikE0dyvBaFENkFNbHxytls043DI89cRSAiu+EYL+fZPq4=
=CfPS
-----END PGP SIGNATURE-----
From wesley.tabadore at gmail.com Mon Feb 7 22:56:31 2005
From: wesley.tabadore at gmail.com (Wesley Tabadore)
Date: Mon Feb 7 22:52:39 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: <20050207213634.55149.qmail@smasher.org>
References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
<20050207213634.55149.qmail@smasher.org>
Message-ID:
Atom,
This is great information! Can you provide such an analysis for TWOFISH?
How about for the asymmetric algorithms supported by GPG?
There is so much data to sort through out there, it is difficult to
come up with the consise explanations and feedback you have given thus
far. Would really apreciate more on the other options. :-)
Thanks,
Wes
On Mon, 7 Feb 2005 16:37:09 -0500 (EST), Atom Smasher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Mon, 7 Feb 2005, Ryan Malayter wrote:
>
> > [From Atom Smasher]
> >> i don't like AES...
> >
> > None of the papers I've read suggest anything close to an attack that is
> > better than brute-force on full-round AES. Although, I have seen some in
> > the crypto field complain Rijndael is just "too simple" to be secure. Of
> > course, the same was said about RC4 many years ago, and AFAIK there are
> > still no attacks better than brute force against the RC4 algorithm
> > itself (protocol issues in WEP don't count).
> ===================
>
> there have been several succesful attacks against against RC4, but only
> when it's incorectly implemented. the lesson here is that some good
> algorithms are weakly implemented... some algorithms are difficult to
> implement correctly. i think elgamal for signatures falls into that
> category.
>
>
> > Just to edjumacate myself, as W. would say, what are your reasons for
> > disliking AES? I've been using it more and more frequently for VPNs I
> > set up when there is no hardware crypto assist available, since the CPU
> > utilization is so much lower than with 3DES.
> ================
>
> http://en.wikipedia.org/wiki/AES#Security
>
> Some cryptographers worry about the security of AES. They feel
> that the margin between the number of rounds specified in the cipher and
> the best known attacks is too small for comfort. The risk is that some way
> to improve these attacks might be found and that, if so, the cipher could
> be broken. In this meaning, a cryptographic "break" is anything faster
> than an exhaustive search, so an attack against 128-bit key AES requiring
> 'only' 2120 operations would be considered a break even though it would
> be, now, quite infeasible. In practical application, any break of AES
> which is only this 'good' would be irrelevant. For the moment, such
> concerns can be ignored. The largest publically-known brute-force attack
> has been against a 64 bit RC5 key by distributed.net.
>
> Another concern is the mathematical structure of AES. Unlike most
> other block ciphers, AES has a very neat mathematical description [2]
> (http://www.macfergus.com/pub/rdalgeq.html), [3]
> (http://www.isg.rhul.ac.uk/~sean/). This has not yet led to any attacks,
> but some researchers are worried that future attacks may find a way to
> exploit this structure.
>
> In 2002, a theoretical attack, termed the "XSL attack", was
> announced by Nicolas Courtois and Josef Pieprzyk, showing a potential
> weakness in the AES algorithm. It seems that the attack, if the
> mathematics is correct, is not currently practical as it would have a
> prohibitively high "work factor". There have been claims of considerable
> work factor improvement, however, so the attack technique might become
> practical in the future. On the other hand, several cryptography experts
> have found problems in the underlying mathematics of the proposed attack,
> suggesting that the authors have made a mistake in their estimates.
> Whether this line of attack can be made to work against AES remains an
> open question. For the moment, as far as is publicly known, the XSL attack
> against AES is speculative; it is unlikely that anyone could carry out the
> current attack in practice.
>
>
> - --
> ...atom
>
> _________________________________________
> PGP key - http://atom.smasher.org/pgp.txt
> 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
> -------------------------------------------------
>
> "There is no such thing at this date of the world's history in
> America as an independent press. You know it, and I know it.
> There is not one of you who dares to write his honest
> opinion, and if you did, you know beforehand it would never
> appear in print. I am paid weekly for keeping my honest
> opinion out of the paper. Others of you are paid similar
> salaries for similar things. And any of you who would be so
> foolish as to write honest opinions would be out on the
> streets looking for another job.
>
> "If I allow my honest opinions to appear in one issue of my
> paper, before 24 hours, my occupation would be gone. The
> business of the journalist is to destroy the truth, to lie
> outright, to pervert, to vilify, to fawn at the feet of
> Mammon and to sell his country and his race for his daily
> bread. You know it, and I know it, and what folly is this
> toasting an independent press? We are the tools and the
> vassals of rich men behind the scenes. We are the jumping
> jacks. They pull the strings, and we dance. Our talents, our
> possibilities and our lives are all the property of other men.
>
> "We are intellectual prostitutes."
> -- John Swinden, 1953, then head of the New York
> Times, when asked to toast an independent press
> in a gathering at the National Press Club.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (FreeBSD)
> Comment: What is this gibberish?
> Comment: http://atom.smasher.org/links/#digital_signatures
>
> iQEcBAEBCAAGBQJCB9+NAAoJEAx/d+cTpVcitjgH/3OVMpY8QXblFfvrmeaG86/A
> ZJ7H+eqbMKKtIWexYpcthlNdbm2le9TNdx0b5BhiWVJot0R+8XncMYvLtP5z/dMR
> WdowPoZ2f1EzpXDOwLS4rTEQG7GgcJnSYTBch9ow7A3D03z4XG8Q6wVla2Gn1Sum
> JpmnL2Wm/aC6y/iK+JCy1s9Psq3yka+yuo+8vPJd4t3vZnwKZFMLs2TuJUqpMHiT
> ocooXsjKPIPADxvg+0b5W+iDUs/dBvX3Y/Q+wG5HoD/x34pcyBTnaib/XEqF7N0I
> OH/Gw16DB7CA69dzOtikE0dyvBaFENkFNbHxytls043DI89cRSAiu+EYL+fZPq4=
> =CfPS
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From hmujtaba at forumsys.com Mon Feb 7 23:09:49 2005
From: hmujtaba at forumsys.com (Hasnain Mujtaba)
Date: Mon Feb 7 23:41:13 2005
Subject: Partial body length encoding for Compressed packets
Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com>
Hi David,
I generated a PGP 2 style packet using GPG's --pgp2 option and tore it
apart to look inside its structure. I found that both the encrypted and
literal data packets are broken into RFC 2440 style partial body length
chunks. But, as you explained, the compressed packet was indeterminate
length encoded.
I find this behavior perplexing. They made PGP 2 RFC2440 compliant only
for encrypted and literal packets. But why not for compressed packets as
well?
Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e RFC
2440 chunking for literal & encrypted packets, but indeterminate for
compressed packets? Or will PGP 5.x and above, understand chunking for
all three packets?
Not meaning to beat on a dead horse, but this forum is my only hope of
staying sane in a world of interoperability minefields.
Regards,
Hasnain.
-----Original Message-----
From: gnupg-users-bounces@gnupg.org
[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw
Sent: Monday, August 09, 2004 8:25 PM
To: gnupg-users@gnupg.org
Subject: Re: Partial body length encoding for Compressed packets
On Sat, Aug 07, 2004 at 06:11:59PM -0400, Hasnain Mujtaba wrote:
> Hi everyone,
>
> I am working with RFC2440 partial body length (PBL) encoding for my
app.
> I have noticed that even though GPG's Encrypted Data Packets are cut
> into partial body length (PBL) chunks, the enclosed Compressed Data
> Packets are encoded using indeterminate lengths, rather than PBLs. Is
> this the default behavior for GPG and if so for what reasons?
>
> If possible, I would like GPG to create both compressed data packets
and
> enclosed literal data packets using PBL encoding. Is there some way to
> force enable this feature?
For PGP 2 compatibility reasons, GnuPG uses indeterminate lengths for
compressed packets. There is no way to change this, but if you are
willing to compile a special GnuPG to test with, you can do something
like setting "new_ctb" to 1 in build_packet() when generating a
compressed data packet.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From atom at smasher.org Mon Feb 7 23:53:44 2005
From: atom at smasher.org (Atom Smasher)
Date: Mon Feb 7 23:49:34 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To:
References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
<20050207213634.55149.qmail@smasher.org>
Message-ID: <20050207225304.18999.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 7 Feb 2005, Wesley Tabadore wrote:
> This is great information! Can you provide such an analysis for
> TWOFISH?
>
> How about for the asymmetric algorithms supported by GPG?
>
> There is so much data to sort through out there, it is difficult to come
> up with the consise explanations and feedback you have given thus far.
> Would really apreciate more on the other options. :-)
======================
i'm flattered that you like it so much, but i'm not a cryptographer.
although i have a good understanding of the protocols i actually suck
really bad at the math.
most of the information is out there, although a lot of it is dated.
i guess you could start here -
The PGP Attack FAQ
http://www.stack.nl/~galactus/remailers/attack-faq.html
PGP DH vs. RSA FAQ
http://www.scramdisk.clara.net/pgpfaq.html
Practical Attacks on PGP
http://www.privacy.com.au/pgpatk.html
http://atom.smasher.org/links/#crypto
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"All censorships exist to prevent anyone from challenging
current conceptions and existing institutions. All progress
is initiated by challenging current conceptions, and executed
by supplanting existing institutions. Consequently, the first
condition of progress is the removal of censorships."
-- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCB/F+AAoJEAx/d+cTpVciu4gH/jtkd4GI93i23YdSGHCboiQi
D8vbaVAesqgrh/Oty7091d6b2bwP0rB7B9uWzqh7433RSG2Fe+U4LvtFfx/iVJNL
grmB6So1/+szJM6/aw2VCcmkviFtS/Ws0EkZ/0/k58d+4oxArgVlwRwZdgBB4qoR
skNBA2+P8rMEGjOM2bFvwWEjEkApi2UjxjHQCR1RTLQmFzZKqAdBnHBYYkRKQBuS
vqByQ+U+Do5GLkT/KhLCBQRVulLXqWFm/QHQ2XqNjDDXjERtSyC3Vv28aZTQVfmV
aYeXwuTlYK1YznVBFNd86piEBBZsoqP5/jq4lnpYr7e19x7eUC/8op/jc/2J/Js=
=E3Hw
-----END PGP SIGNATURE-----
From chd at chud.net Mon Feb 7 22:44:09 2005
From: chd at chud.net (Chris De Young)
Date: Tue Feb 8 00:01:50 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org>
Message-ID: <4207E129.2080406@chud.net>
Ryan Malayter wrote:
> Of
> course, the same was said about RC4 many years ago, and AFAIK there are
> still no attacks better than brute force against the RC4 algorithm
> itself (protocol issues in WEP don't count).
RC4 has some classes of weak keys, as I recall. Implementations can work
around these problems, but I would still tend to classify that as a
weakness in the algorithm rather than in the implementation. Pedantic,
perhaps, but anyway... :)
-Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050207/efe554fd/signature.pgp
From swp5jhu02 at sneakemail.com Mon Feb 7 13:58:17 2005
From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=)
Date: Tue Feb 8 09:32:27 2005
Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir...
Message-ID: <420765E9.1020805@sneakemail.com>
Hi there,
My task: I have a public keyring and a signed file. I need to test
whether they verify from a script.
I don't want to use the current user's trust, keyrings or anything. In
fact, the user's home directory may not even be writable by the user.
In gnupg 1.2.5, this worked:
# gpg --always-trust --secret-keyring /dev/null --no-default-keyring
--keyring /my/key.ring --verify /some/file
gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8
gpg: Good signature from "Somebody "
gpg: WARNING: Using untrusted key!
However, in 1.4.0, this gives the following error:
gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied
OK, so I can always do e.g.:
# mkdir /tmp/bogus
# gpg --homedir /tmp/bogus ...
# rm -rf /tmp/bogus
But then I'm spending time creating the bogus directory, initializing a
trust database, only to just delete it afterward. And now I have to take
care not to have two scripts running simultaneously or to use distinct
temporary directory names with all the pitfalls *that* has.
Isn't there a simpler way? (--homedir /dev/null doesn't work! :-D)
Peter
--
Peter Valdemar M?rch
http://www.morch.com
From wk at gnupg.org Tue Feb 8 09:48:48 2005
From: wk at gnupg.org (Werner Koch)
Date: Tue Feb 8 09:45:48 2005
Subject: "Malformed user id"
In-Reply-To: <42066AC5.9030702@gmx.de> (
=?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Sun, 06 Feb 2005
20:06:45 +0100")
References: <4204E6C8.7090907@gmx.de> <87mzuh8r15.fsf@wheatstone.g10code.de>
<42066AC5.9030702@gmx.de>
Message-ID: <87r7jr77yn.fsf@wheatstone.g10code.de>
On Sun, 06 Feb 2005 20:06:45 +0100, Thomas F D?llmann said:
> default-key # ********* // both keys are
> the same
> encrypt-to # ********
Remove them and try again. Then look closely on what you entered. It
should similar to:
default-key 5B0358A2
encrypt-to 5B0358A2
Werner
From wk at gnupg.org Tue Feb 8 09:55:24 2005
From: wk at gnupg.org (Werner Koch)
Date: Tue Feb 8 09:55:50 2005
Subject: capacity of keyring
In-Reply-To: <420359A9.7020908@intertivity.com> (Sascha Kiefer's message of
"Fri, 04 Feb 2005 12:16:57 +0100")
References: <4200C54D.4040305@intertivity.com>
<420224E2.9070900@intertivity.com>
<42033722.7030302@smgwtest.aachen.utimaco.de>
<420359A9.7020908@intertivity.com>
Message-ID: <87mzuf77nn.fsf@wheatstone.g10code.de>
On Fri, 04 Feb 2005 12:16:57 +0100, Sascha Kiefer said:
> When do you think that 1.9.x is going to be realeased?
There are releases every few weeks, there should be another one this
week. The support for larger keyrings has not yet been implemented,
though.
> Or how "stable" is 1.9 right now?
The S/MIME part is pretty stable and in use for quite some time. The
OpenPGP part is not verty matured yet but gpg 1.4 may be used along
with 1.9.
Shalom-Salam,
Werner
From swp5jhu02 at sneakemail.com Tue Feb 8 10:58:08 2005
From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=)
Date: Tue Feb 8 10:54:29 2005
Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir...
Message-ID: <42088D30.1060800@sneakemail.com>
Hi there,
My task: I have a public keyring and a signed file. I need to test
whether they verify from a script.
I don't want to use the current user's trust, keyrings or anything. In
fact, the user's home directory may not even be writable by the user.
In gnupg 1.2.5, this worked:
# gpg --always-trust --secret-keyring /dev/null --no-default-keyring
--keyring /my/key.ring --verify /some/file
gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8
gpg: Good signature from "Somebody "
gpg: WARNING: Using untrusted key!
However, in 1.4.0, this gives the following error:
gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied
OK, so I can always do e.g.:
# mkdir /tmp/bogus
# gpg --homedir /tmp/bogus ...
# rm -rf /tmp/bogus
But then I'm spending time creating the bogus directory, initializing a
trust database, only to just delete it afterward. And now I have to take
care not to have two scripts running simultaneously or to use distinct
temporary directory names with all the pitfalls *that* has.
Isn't there a simpler way avoiding the homedir altogether? (--homedir
/dev/null doesn't work! :-D)
Peter
--
Peter Valdemar M?rch
http://www.morch.com
From dshaw at jabberwocky.com Tue Feb 8 15:10:57 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue Feb 8 15:07:58 2005
Subject: 1.4.0: Howto verify a signed file quickly - without any
--homedir...
In-Reply-To: <42088D30.1060800@sneakemail.com>
References: <42088D30.1060800@sneakemail.com>
Message-ID: <20050208141057.GA10444@jabberwocky.com>
On Tue, Feb 08, 2005 at 10:58:08AM +0100, Peter Valdemar M?rch wrote:
> Hi there,
>
> My task: I have a public keyring and a signed file. I need to test
> whether they verify from a script.
>
> I don't want to use the current user's trust, keyrings or anything. In
> fact, the user's home directory may not even be writable by the user.
>
> In gnupg 1.2.5, this worked:
>
> # gpg --always-trust --secret-keyring /dev/null --no-default-keyring
> --keyring /my/key.ring --verify /some/file
> gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8
> gpg: Good signature from "Somebody "
> gpg: WARNING: Using untrusted key!
>
>
> However, in 1.4.0, this gives the following error:
>
> gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied
>
> OK, so I can always do e.g.:
> # mkdir /tmp/bogus
> # gpg --homedir /tmp/bogus ...
> # rm -rf /tmp/bogus
>
> But then I'm spending time creating the bogus directory, initializing a
> trust database, only to just delete it afterward. And now I have to take
> care not to have two scripts running simultaneously or to use distinct
> temporary directory names with all the pitfalls *that* has.
>
> Isn't there a simpler way avoiding the homedir altogether? (--homedir
> /dev/null doesn't work! :-D)
It sounds like you are looking for gpgv, which comes with GnuPG. It
does just what you want - verifies files and nothing else.
David
From dshaw at jabberwocky.com Tue Feb 8 17:35:14 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue Feb 8 17:32:29 2005
Subject: Partial body length encoding for Compressed packets
In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com>
References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com>
Message-ID: <20050208163514.GB10858@jabberwocky.com>
On Mon, Feb 07, 2005 at 05:09:49PM -0500, Hasnain Mujtaba wrote:
> Hi David,
>
> I generated a PGP 2 style packet using GPG's --pgp2 option and tore it
> apart to look inside its structure. I found that both the encrypted and
> literal data packets are broken into RFC 2440 style partial body length
> chunks. But, as you explained, the compressed packet was indeterminate
> length encoded.
>
> I find this behavior perplexing. They made PGP 2 RFC2440 compliant only
> for encrypted and literal packets. But why not for compressed packets as
> well?
PGP 2 isn't RFC-2440 compliant. PGP 2 dates from quite a few years
before 2440 was even written.
> Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e RFC
> 2440 chunking for literal & encrypted packets, but indeterminate for
> compressed packets? Or will PGP 5.x and above, understand chunking for
> all three packets?
>
> Not meaning to beat on a dead horse, but this forum is my only hope of
> staying sane in a world of interoperability minefields.
It won't work ;)
Sane PGP interoperability requires knowing when to give up. For
example, there are details between PGP 5 and 7 where you can support
one or the other, but not both.
To a certain extent, supporting bugs from old versions that have been
replaced many times over is actually harmful. I know that some users
have settled on one version of PGP and will continue to use that
version until the sun goes nova, but given the choice between
supporting that tiny minority of people, and the huge majority of
people who are using something actually RFC compliant, I know where
I'm going to spend my energy.
David
From johanw at vulcan.xs4all.nl Tue Feb 8 02:35:42 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Tue Feb 8 17:44:07 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: from Wesley Tabadore
at "Feb 7, 2005 01:56:31 pm"
Message-ID: <200502080135.CAA00593@vulcan.xs4all.nl>
Wesley Tabadore wrote:
>How about for the asymmetric algorithms supported by GPG?
The security of RSA and DH are linked: it has been proven that an attack
faster than brute-forcing against one means the other can also be attacked
faster than brute-forcing.
Wether such an attack is possible at all seems to be an open question.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From texmex at uni.de Tue Feb 8 18:08:17 2005
From: texmex at uni.de (Gregor Zattler)
Date: Tue Feb 8 18:05:01 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <000401c50b73$524f4b00$f300a8c0@HOME>
References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de>
<000401c50b73$524f4b00$f300a8c0@HOME>
Message-ID: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de>
Hi Kiefer,,
* Kiefer, Sascha [05. Feb. 2005]:
> Hi.
> Installing
> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1-
> a5d6-dbfa18d37e0f&DisplayLang=en
> may be helps.
i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg
--help" --> same problem.
Ciao; gregor
From hmujtaba at forumsys.com Tue Feb 8 19:53:15 2005
From: hmujtaba at forumsys.com (Hasnain Mujtaba)
Date: Tue Feb 8 19:50:13 2005
Subject: Partial body length encoding for Compressed packets
Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com>
Hi David,
There's food for thought in your comments. Sanity is very important to
me. So, thanks.
On a techincal level, I was only curious about this mixing and matching
of partial body length headers and indeterminate encoding. I guess I
will never know for sure why it is that way with 2.x, and perhaps 5.x.
Cheers,
Hasnain.
-----Original Message-----
From: gnupg-users-bounces@gnupg.org
[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw
Sent: Tuesday, February 08, 2005 11:35 AM
To: gnupg-users@gnupg.org
Subject: Re: Partial body length encoding for Compressed packets
On Mon, Feb 07, 2005 at 05:09:49PM -0500, Hasnain Mujtaba wrote:
> Hi David,
>
> I generated a PGP 2 style packet using GPG's --pgp2 option and tore it
> apart to look inside its structure. I found that both the encrypted
and
> literal data packets are broken into RFC 2440 style partial body
length
> chunks. But, as you explained, the compressed packet was indeterminate
> length encoded.
>
> I find this behavior perplexing. They made PGP 2 RFC2440 compliant
only
> for encrypted and literal packets. But why not for compressed packets
as
> well?
PGP 2 isn't RFC-2440 compliant. PGP 2 dates from quite a few years
before 2440 was even written.
> Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e
RFC
> 2440 chunking for literal & encrypted packets, but indeterminate for
> compressed packets? Or will PGP 5.x and above, understand chunking for
> all three packets?
>
> Not meaning to beat on a dead horse, but this forum is my only hope of
> staying sane in a world of interoperability minefields.
It won't work ;)
Sane PGP interoperability requires knowing when to give up. For
example, there are details between PGP 5 and 7 where you can support
one or the other, but not both.
To a certain extent, supporting bugs from old versions that have been
replaced many times over is actually harmful. I know that some users
have settled on one version of PGP and will continue to use that
version until the sun goes nova, but given the choice between
supporting that tiny minority of people, and the huge majority of
people who are using something actually RFC compliant, I know where
I'm going to spend my energy.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From dshaw at jabberwocky.com Tue Feb 8 19:59:48 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue Feb 8 19:56:37 2005
Subject: Partial body length encoding for Compressed packets
In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com>
References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com>
Message-ID: <20050208185948.GE10858@jabberwocky.com>
On Tue, Feb 08, 2005 at 01:53:15PM -0500, Hasnain Mujtaba wrote:
> Hi David,
>
> There's food for thought in your comments. Sanity is very important to
> me. So, thanks.
>
> On a techincal level, I was only curious about this mixing and matching
> of partial body length headers and indeterminate encoding. I guess I
> will never know for sure why it is that way with 2.x, and perhaps 5.x.
It's historical. PGP 2.x came before the partial body length encoding
existed, so that's why it doesn't support it at all.
David
From hmujtaba at forumsys.com Tue Feb 8 20:06:53 2005
From: hmujtaba at forumsys.com (Hasnain Mujtaba)
Date: Tue Feb 8 20:03:32 2005
Subject: Partial body length encoding for Compressed packets
Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com>
But PGP2 does support partial body length encoding! Using the --pgp2
option when encrypting, I can see that GPG uses PBL encoding for both
encrypted and literal data packets, but not for compressesd. I must be
totally wacko, but I don't get it. Why would GPG generate PBL encoded
packets for PGP2?
-----Original Message-----
From: gnupg-users-bounces@gnupg.org
[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw
Sent: Tuesday, February 08, 2005 2:00 PM
To: gnupg-users@gnupg.org
Subject: Re: Partial body length encoding for Compressed packets
On Tue, Feb 08, 2005 at 01:53:15PM -0500, Hasnain Mujtaba wrote:
> Hi David,
>
> There's food for thought in your comments. Sanity is very important to
> me. So, thanks.
>
> On a techincal level, I was only curious about this mixing and
matching
> of partial body length headers and indeterminate encoding. I guess I
> will never know for sure why it is that way with 2.x, and perhaps 5.x.
It's historical. PGP 2.x came before the partial body length encoding
existed, so that's why it doesn't support it at all.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From dshaw at jabberwocky.com Tue Feb 8 20:12:48 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue Feb 8 20:09:41 2005
Subject: Partial body length encoding for Compressed packets
In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com>
References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com>
Message-ID: <20050208191248.GF10858@jabberwocky.com>
On Tue, Feb 08, 2005 at 02:06:53PM -0500, Hasnain Mujtaba wrote:
> But PGP2 does support partial body length encoding! Using the --pgp2
> option when encrypting, I can see that GPG uses PBL encoding for both
> encrypted and literal data packets, but not for compressesd. I must be
> totally wacko, but I don't get it. Why would GPG generate PBL encoded
> packets for PGP2?
PGP2 does not support partial body length packets. GnuPG is forced to
use PBL encoding if it does not know the length of a message (say, if
you're encrypting stdin or something with no clear size). In that
case, regardless of the --pgp2 flag, PGP2 will not be able to decrypt
it.
David
From mconahan at iotest.org Tue Feb 8 20:16:34 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Tue Feb 8 20:12:42 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <41F67AD8.2000503@iotest.org>
References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net>
<41F67AD8.2000503@iotest.org>
Message-ID: <42091012.7080206@iotest.org>
On second thought, is it possible to specify an unique "gpg.conf" file
for each gpg session? If this could work, this would be a
workaround...I wouldn't have to modify the GPGME source. If anybody has
any ideas on how to specify a keyring/session using GPGME, please let me
know.
mconahan@iotest.org wrote:
> I could see that your solution would work for an app with a single
process, but I need to avoid process collision in my application. In
short, I am using GPGME, and each process must have its own "--keyring"
and "--secret-keyring".
> I'm playing with the idea of modifying the GPGME source, or have my
application use GPGME where supported (and use GnuPG directly
otherwise...ugh). ...I'm hoping that GPGME will support me on what I
need to do.
>
>
> Michael
>
>
>
> John Clizbe wrote:
>
> mconahan@iotest.org wrote:
>
>
> >>> Hi everyone,
> >>>
> >>> I was wondering if anyone had a clue on how to access the
> --keyring GnuPG option via GnuPG ME?
> >>>
>
>
> Include it in gpg.conf? From my Win2k development box:
>
> no-default-keyring
> keyring pubring.gpg
> secret-keyring O:\GnuPG\secring.gpg
>
>
> --
> John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet
> Golden Bear Networks PGP/GPG KeyID: 0x608D2A10
> "Be who you are and say what you feel because those who mind don't matter
> and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
> >
> >
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From hmujtaba at forumsys.com Tue Feb 8 20:28:53 2005
From: hmujtaba at forumsys.com (Hasnain Mujtaba)
Date: Tue Feb 8 20:25:57 2005
Subject: Partial body length encoding for Compressed packets
Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64DC945D2@bstn-exch1.forumsys.com>
That explains it! Thanks much.
-----Original Message-----
From: gnupg-users-bounces@gnupg.org
[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw
Sent: Tuesday, February 08, 2005 2:13 PM
To: gnupg-users@gnupg.org
Subject: Re: Partial body length encoding for Compressed packets
On Tue, Feb 08, 2005 at 02:06:53PM -0500, Hasnain Mujtaba wrote:
> But PGP2 does support partial body length encoding! Using the --pgp2
> option when encrypting, I can see that GPG uses PBL encoding for both
> encrypted and literal data packets, but not for compressesd. I must be
> totally wacko, but I don't get it. Why would GPG generate PBL encoded
> packets for PGP2?
PGP2 does not support partial body length packets. GnuPG is forced to
use PBL encoding if it does not know the length of a message (say, if
you're encrypting stdin or something with no clear size). In that
case, regardless of the --pgp2 flag, PGP2 will not be able to decrypt
it.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From atom at smasher.org Tue Feb 8 20:51:21 2005
From: atom at smasher.org (Atom Smasher)
Date: Tue Feb 8 20:46:54 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: <200502080135.CAA00593@vulcan.xs4all.nl>
References: <200502080135.CAA00593@vulcan.xs4all.nl>
Message-ID: <20050208195036.79982.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 8 Feb 2005, Johan Wevers wrote:
> Wesley Tabadore wrote:
>
>> How about for the asymmetric algorithms supported by GPG?
>
> The security of RSA and DH are linked: it has been proven that an attack
> faster than brute-forcing against one means the other can also be
> attacked faster than brute-forcing.
>
> Wether such an attack is possible at all seems to be an open question.
======================
as i understand it a fast (polynomial time) attack against DH would
necessarily apply to RSA, but a fast attack against RSA would not
necessarily apply to DH.
to clarify for anyone who doesn't know, elgamal is a variation of DH.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"To consider yourself an environmentalist
and still eat meat is like saying you're
a philanthropist who doesn't give to charity"
-- Howard Lyman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCCRg/AAoJEAx/d+cTpVci8fAH/A9PJ7tGiGOgK1G0CSUIip4M
vTKimkZjWh2QOoSfa2DPXihyhGJOL9rbS4UG7oA51VNZ3uFtm0divutahk+ZRS5C
ShtugsBXB/JvJCV1xnHIapTcuORIoZfuXF9hgY8WBwHedfuQnFmk98UONIWn9AqQ
8jY28x4vd6Q/5ZEMew1Nnnl9PFH1sYnqt13ASKLHcddKQVLK9ZyrndIDvnMPnAEo
AVeRPTBm9NiZwaQUoAtNfYf9QwPElmGpeiQCsUPwT2cLC4IpxShMeo41GvuT0dDd
ZkhzL+Vzx1r1qHX77V1FHZDLj2p2sb+CaBKQuAhNh83fMk4GJosFuLbMG++rZbQ=
=Dm9e
-----END PGP SIGNATURE-----
From atom at smasher.org Tue Feb 8 21:30:39 2005
From: atom at smasher.org (Atom Smasher)
Date: Tue Feb 8 21:26:06 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <42091012.7080206@iotest.org>
References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net>
<41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org>
Message-ID: <20050208202953.8886.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 8 Feb 2005, mconahan@iotest.org wrote:
> On second thought, is it possible to specify an unique "gpg.conf" file
> for each gpg session? If this could work, this would be a
> workaround...I wouldn't have to modify the GPGME source. If anybody has
> any ideas on how to specify a keyring/session using GPGME, please let me
> know.
=========================
--options file
Read options from file and do not try to read them from the
default options file in the homedir (see --homedir). This option
is ignored if used in an options file.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"The capitalists owned everything in the world, and everyone
else was their slave. They owned all the land, all the
houses, all the factories, and all the money. If anyone
disobeyed them they could throw him into prison, or they
could take his job away and starve him to death. When any
ordinary person spoke to a capitalist he had to cringe and
bow to him, and take off his cap and address him as 'Sir'"
-- George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCCSF0AAoJEAx/d+cTpVcimnMH/RcptKwDU7NIpt+SxBeGsU4V
ZKk8xRUqFE0WX7LR7Yacbl8OgGX7W0PeTsjNgc2XRw/KtEQts3+GB+qW10WpVSEb
WnRDlaZOhczgnFuCpMj5VWjodKxHK0nXU2FgGO4CISK5p/No679Vy8ycZsC4prxl
sjCOYUZoVDVMPY55IycVc+Cx8KnosqGSINvGkfz+eF3jDdMYxFzr5EcrF3H4wupm
vq1wJEo5+TnmCGkzduxABZdcQ4Ak1sXWVCB5mxw6k4rtExFUZy5Az2sXBFJ0JqaO
n1EhhldeQXNZt2cSXjc23uVVc3DjlocVmIMv0bJ21p7YG/g3sXyHtKDxP6RdfnI=
=bqVs
-----END PGP SIGNATURE-----
From JPClizbe at comcast.net Wed Feb 9 00:49:43 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Wed Feb 9 00:49:09 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de>
References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> <000401c50b73$524f4b00$f300a8c0@HOME>
<20050208170817.GJ21898@pit.ID-43118.user.dfncis.de>
Message-ID: <42095017.5030203@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor Zattler wrote:
> Hi Kiefer,,
> * Kiefer, Sascha [05. Feb. 2005]:
>> Hi.
>> Installing
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1-
>> a5d6-dbfa18d37e0f&DisplayLang=en
>> may be helps.
>
> i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg
> --help" --> same problem.
Try '.\gpg --help'
'gpg --help' will search the PATH
'.\gpg --help' looks in the current directory
BTW, --version serves the same purpose without generating as much output
and also has some helpful info
- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
GingerBear Consluting PGP/GPG KeyID: 0x608D2A10
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the ?33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCCVAVHQSsSmCNKhARAtKTAJ97SNcPkvKoULUdNMctHT/GDYsh1wCg81ci
+4HFaKkyv53WzLvgeTt7OGk=
=cdz6
-----END PGP SIGNATURE-----
From wk at gnupg.org Wed Feb 9 08:49:03 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 9 08:45:47 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <42091012.7080206@iotest.org> (mconahan@iotest.org's message of
"Tue, 08 Feb 2005 14:16:34 -0500")
References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net>
<41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org>
Message-ID: <87sm46yxzk.fsf@wheatstone.g10code.de>
On Tue, 08 Feb 2005 14:16:34 -0500, mconahan@iotest org said:
> On second thought, is it possible to specify an unique "gpg.conf" file
> for each gpg session? If this could work, this would be a
You won't be able to do that. With a future version you will be able
to specify a home directory and thus also another gpg.conf:
Noteworthy changes in version 1.1.0 (unreleased)
------------------------------------------------
* You can now configure the backend engine file name and home
directory to be used, as default and per context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_set_engine_info NEW
gpgme_ctx_get_engine_info NEW
gpgme_ctx_set_engine_info NEW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Salam-Shalom,
Werner
From johanw at vulcan.xs4all.nl Wed Feb 9 11:38:50 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed Feb 9 12:08:04 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <42095017.5030203@comcast.net> from John Clizbe at "Feb 8,
2005 05:49:43 pm"
Message-ID: <200502091038.LAA02492@vulcan.xs4all.nl>
John Clizbe wrote:
>'.\gpg --help' looks in the current directory
On windows, the current directory is always first in the path.
You don't have to specify that explicitly as in Unix.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From mconahan at iotest.org Wed Feb 9 15:58:35 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Wed Feb 9 15:54:46 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <87sm46yxzk.fsf@wheatstone.g10code.de>
References: <41F55EEF.7020301@iotest.org>
<41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org>
<42091012.7080206@iotest.org>
<87sm46yxzk.fsf@wheatstone.g10code.de>
Message-ID: <420A251B.6050406@iotest.org>
Werner Koch wrote:
>On Tue, 08 Feb 2005 14:16:34 -0500, mconahan@iotest org said:
>
>
>
>>On second thought, is it possible to specify an unique "gpg.conf" file
>>for each gpg session? If this could work, this would be a
>>
>>
>
>You won't be able to do that. With a future version you will be able
>to specify a home directory and thus also another gpg.conf:
>
>Noteworthy changes in version 1.1.0 (unreleased)
>------------------------------------------------
>
> * You can now configure the backend engine file name and home
> directory to be used, as default and per context.
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>gpgme_set_engine_info NEW
>gpgme_ctx_get_engine_info NEW
>gpgme_ctx_set_engine_info NEW
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
>Salam-Shalom,
>
> Werner
>
>
>
>
Doh!
Hmmm... For GPGME 'out of the box', is there a way to utilize the GnuPG
options "--homedir", "--keyring", "--no-default-keyring", and
"--secret-keyring" for a context (at a minmum I need the use of the
latter three)?
If there is not a way 'out of the box', where in the GPGME source would
I have to add the above GnuPG arguments, in order to have them sent to
GnuPG along with the rest of the arguments already specified in the
context? Would it be the function "build_argv" in rungpg.c?
From mike at mcarlson.net Wed Feb 9 16:21:34 2005
From: mike at mcarlson.net (Mike Carlson)
Date: Wed Feb 9 17:04:22 2005
Subject: Importing Keys in Outlook/GPA
Message-ID: <420A2A7E.1080808@mcarlson.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use Thunderbird for my daily email needs but I do ocassionally use
Outlook because of client requirements and I want to use the key that I
generated under Enigmail/GnuPG/Thunderbird in Outlook with GPA
(GnuPG-Plugin).
I tried using the Import feature of GPA but it doesnt seem to recognize
the file I am trying to import.
I tried the pub/sec key I exported out of EnigMail and I tried the
secring.gpg and pubring.gpg files, none of which worked.
Can I import the key I generated earlier into Outlook or do I have to
create a new one?
Thanks,
- --Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCCip++MpGcpt053MRAtWMAKCrp/k9u3Si1qHsuZaXHl4Ivuzf+QCePeSa
ZHpM01NvRsF7bmsdlhEySrA=
=p/gW
-----END PGP SIGNATURE-----
From texmex at uni.de Wed Feb 9 17:49:50 2005
From: texmex at uni.de (Gregor Zattler)
Date: Wed Feb 9 17:46:42 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <42095017.5030203@comcast.net>
References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de>
<000401c50b73$524f4b00$f300a8c0@HOME>
<20050208170817.GJ21898@pit.ID-43118.user.dfncis.de>
<42095017.5030203@comcast.net>
Message-ID: <20050209164950.GG17209@pit.ID-43118.user.dfncis.de>
Hi John,
* John Clizbe [08. Feb. 2005]:
> Gregor Zattler wrote:
> > * Kiefer, Sascha [05. Feb. 2005]:
> >> Hi.
> >> Installing
> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1-
> >> a5d6-dbfa18d37e0f&DisplayLang=en
> >> may be helps.
> >
> > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg
> > --help" --> same problem.
>
> Try '.\gpg --help'
>
> 'gpg --help' will search the PATH
>
> '.\gpg --help' looks in the current directory
>
> BTW, --version serves the same purpose without generating as much output
> and also has some helpful info
Did it: same problem.
Gregor
From abien at nbmc.de Wed Feb 9 17:37:35 2005
From: abien at nbmc.de (Alexander Bien)
Date: Wed Feb 9 18:34:52 2005
Subject: gnupg windows, per user homedir on a terminal server
Message-ID: <420A3C4F.4000604@nbmc.de>
hello folks,
i am trying to install gnupg for windows in a terminal server (2003) env
with multiple users. My idea is to have one installation of the binarys,
but allow each user to have his/her own keyring in theyr userdir.
I understand gnupg support the homedir variable for this purpose:
[HKEY_LOCAL_MACHINE\Software\GNU\GNUPG]
"HomeDir"="C:\\GnuPG"
"gpgProgram"="C:\\GnuPG\\gpg.exe"
I tried to set homedir to the folowing value
"C:\Documents and Settings\%user%\gnupg\"
tests showd me that a fresh set of keyrings is no longer installed to
c:\gnupg\, but neither is it installed to the userdir.. it seems its not
picking up that setting correctly. or i am simply not providing it in
the correct manner. :(
What is the suggested procedure to use gnupg in a multi-user env based
on Windows?
best regards
Alex
From sk at intertivity.com Wed Feb 9 19:25:03 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 9 19:21:07 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <20050209164950.GG17209@pit.ID-43118.user.dfncis.de>
Message-ID: <000001c50ed4$acb90770$f300a8c0@HOME>
Do me a favour and send me your shell32.dll
> -----Original Message-----
> From: gnupg-users-bounces@gnupg.org
> [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler
> Sent: Mittwoch, 9. Februar 2005 17:50
> To: gnupg-users
> Subject: Re: didn't help either (was: Re: it's not a PATH problem )
>
>
> Hi John,
> * John Clizbe [08. Feb. 2005]:
> > Gregor Zattler wrote:
> > > * Kiefer, Sascha [05. Feb. 2005]:
> > >> Hi.
> > >> Installing
> > >>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-0
> > >> 7e9-48f1-
> > >> a5d6-dbfa18d37e0f&DisplayLang=en
> > >> may be helps.
> > >
> > > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg
> > > --help" --> same problem.
> >
> > Try '.\gpg --help'
> >
> > 'gpg --help' will search the PATH
> >
> > '.\gpg --help' looks in the current directory
> >
> > BTW, --version serves the same purpose without generating as much
> > output and also has some helpful info
>
> Did it: same problem.
>
> Gregor
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From jharris at widomaker.com Wed Feb 9 20:33:19 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 9 20:29:40 2005
Subject: GD doesn't always accept revocations
Message-ID: <20050209193319.GK3466@wilma.widomaker.com>
It seems the GD doesn't always accept revocations for keys it stores:
%gpg --keyserver keyserver.kjsl.com --recv 3EA5F9EF
[snip]
%gpg --check-sigs 3EA5F9EF
pub 1024D/3EA5F9EF 2004-12-13 [revoked: 2005-02-06]
rev! 3EA5F9EF 2005-02-06 Tobias Braunschober
uid Tobias Braunschober <>
sig!3 3EA5F9EF 2005-02-06 Tobias Braunschober <>
sig!3 3EA5F9EF 2004-12-13 Tobias Braunschober <>
sig! CA57AD7C 2005-02-05 PGP Global Directory Verification Key
1 signature not checked due to a missing key
%gpg --keyserver ldap://keyserver-beta.pgp.com --send-key 3EA5F9EF
gpg: sending key 3EA5F9EF to ldap server keyserver-beta.pgp.com
Host: keyserver-beta.pgp.com
Command: SEND
Server: PGP Universal Server
Version: 2.0.0 (Build 1014)
%gpg --delete-key 3EA5F9EF
[snip]
%gpg --keyserver ldap://keyserver-beta.pgp.com --recv 3EA5F9EF
gpg: requesting key 3EA5F9EF from ldap server keyserver-beta.pgp.com
Host: keyserver-beta.pgp.com
Command: GET
Server: PGP Universal Server
Version: 2.0.0 (Build 1014)
gpgkeys: LDAP fetch for: (pgpkeyid=3EA5F9EF)
gpg: key 3EA5F9EF: public key "Tobias Braunschober <>" imported
gpg: Total number processed: 1
gpg: imported: 1
Note that the key is returned from keyserver-beta.pgp.com
_without its revocation_:
%gpg --check-sigs 3EA5F9EF
pub 1024D/3EA5F9EF 2004-12-13
uid Tobias Braunschober <>
sig!3 3EA5F9EF 2004-12-13 Tobias Braunschober <>
sig! CA57AD7C 2005-02-05 PGP Global Directory Verification Key
sub 2048g/2AB8AB81 2004-12-13
sig! 3EA5F9EF 2004-12-13 Tobias Braunschober <>
1 signature not checked due to a missing key
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/a12516e6/attachment.pgp
From dshaw at jabberwocky.com Wed Feb 9 20:53:58 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 20:50:51 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209193319.GK3466@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
Message-ID: <20050209195358.GE13201@jabberwocky.com>
On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote:
>
> It seems the GD doesn't always accept revocations for keys it stores:
> %gpg --keyserver keyserver.kjsl.com --recv 3EA5F9EF
> %gpg --keyserver ldap://keyserver-beta.pgp.com --send-key 3EA5F9EF
> %gpg --delete-key 3EA5F9EF
> %gpg --keyserver ldap://keyserver-beta.pgp.com --recv 3EA5F9EF
> Note that the key is returned from keyserver-beta.pgp.com
> _without its revocation_:
https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html :
Can I post a revoked key to the PGP Global Directory?
No. The PGP Global Directory includes many features to prevent it
from being filled with unusable keys. One of these features is that
the directory does not support revoked keys. Instead of revoking
your key, simply remove it from the directory.
In short, it's a feature. I'm not sure I completely like that
feature, but nevertheless, the GD is operating as intended.
David
From jharris at widomaker.com Wed Feb 9 21:01:11 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 9 20:57:22 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209195358.GE13201@jabberwocky.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
Message-ID: <20050209200111.GA42975@wilma.widomaker.com>
On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote:
> > It seems the GD doesn't always accept revocations for keys it stores:
> > Note that the key is returned from keyserver-beta.pgp.com
> > _without its revocation_:
>
> https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html :
>
> Can I post a revoked key to the PGP Global Directory?
>
> No. The PGP Global Directory includes many features to prevent it
> from being filled with unusable keys. One of these features is that
> the directory does not support revoked keys. Instead of revoking
> your key, simply remove it from the directory.
>
> In short, it's a feature. I'm not sure I completely like that
> feature, but nevertheless, the GD is operating as intended.
Revoked keys are supposed to be _removed_ from the GD, period.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/5bf2fd7a/attachment-0001.pgp
From dshaw at jabberwocky.com Wed Feb 9 21:07:58 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 21:04:49 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209200111.GA42975@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
Message-ID: <20050209200758.GA13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote:
> On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote:
> > On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote:
>
> > > It seems the GD doesn't always accept revocations for keys it stores:
>
> > > Note that the key is returned from keyserver-beta.pgp.com
> > > _without its revocation_:
> >
> > https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html :
> >
> > Can I post a revoked key to the PGP Global Directory?
> >
> > No. The PGP Global Directory includes many features to prevent it
> > from being filled with unusable keys. One of these features is that
> > the directory does not support revoked keys. Instead of revoking
> > your key, simply remove it from the directory.
> >
> > In short, it's a feature. I'm not sure I completely like that
> > feature, but nevertheless, the GD is operating as intended.
>
> Revoked keys are supposed to be _removed_ from the GD, period.
Supposed to by whose say-so? Period or what? I'll repeat the quote
from the GD:
Can I post a revoked key to the PGP Global Directory?
No. The PGP Global Directory includes many features to prevent it
from being filled with unusable keys. One of these features is that
the directory does not support revoked keys. Instead of revoking
your key, simply remove it from the directory.
They don't do it. They even document their not doing it. You might
suggest it to them as a feature, but they don't do it now.
I'm not saying I think this is optimal behavior, but the documentation
is pretty clear on this point.
David
From sk at intertivity.com Wed Feb 9 21:22:15 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 9 21:18:20 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de>
Message-ID: <001a01c50ee5$0bc92b40$f300a8c0@HOME>
Well, i just checked his shell32.dll and it
seems that that function SHGetFolderPathA is really not in there.
Why is this function needed anyway?
> -----Original Message-----
> From: gnupg-users-bounces@gnupg.org
> [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler
> Sent: Dienstag, 8. Februar 2005 18:08
> To: gnupg-users
> Subject: didn't help either (was: Re: it's not a PATH problem )
>
>
> Hi Kiefer,,
> * Kiefer, Sascha [05. Feb. 2005]:
> > Hi.
> > Installing
> >
> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9
> > -48f1-
> > a5d6-dbfa18d37e0f&DisplayLang=en
> > may be helps.
>
> i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did
> "gpg --help" --> same problem.
>
> Ciao; gregor
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From jharris at widomaker.com Wed Feb 9 21:26:19 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 9 21:22:29 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209200111.GA42975@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
Message-ID: <20050209202618.GL3466@wilma.widomaker.com>
On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote:
> On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote:
> > In short, it's a feature. I'm not sure I completely like that
> > feature, but nevertheless, the GD is operating as intended.
>
> Revoked keys are supposed to be _removed_ from the GD, period.
[self-reply]
Correction: Revoked keys _should be_ _removed_ from the GD, period,
in keeping with its stated goals.
Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF
on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com
will incorrectly serve the unrevoked version of the key for the next
6 months.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/191980d0/attachment.pgp
From dshaw at jabberwocky.com Wed Feb 9 21:32:57 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 21:29:35 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209202618.GL3466@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
Message-ID: <20050209203257.GB13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote:
> On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote:
> > On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote:
>
> > > In short, it's a feature. I'm not sure I completely like that
> > > feature, but nevertheless, the GD is operating as intended.
> >
> > Revoked keys are supposed to be _removed_ from the GD, period.
>
> [self-reply]
>
> Correction: Revoked keys _should be_ _removed_ from the GD, period,
> in keeping with its stated goals.
>
> Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF
> on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com
> will incorrectly serve the unrevoked version of the key for the next
> 6 months.
Yes. I don't think this is the best design. I understand the desire
to keep revoked keys off of the GD, but it's not clear what to do in
this case (an unrevoked key on the GD is suddenly revoked).
Drop the key immediately? Accept the revocation and then drop the key
after some time has gone by? I rather like the idea of accepting the
revocation, and then immediately causing the key to need to be
reverified by the user (as if their 6 month time on the GD was up).
This way the user knows what happened, and doing nothing causes the
key to fall out of the GD.
David
From adam00f at ducksburg.com Wed Feb 9 21:45:54 2005
From: adam00f at ducksburg.com (Adam Funk)
Date: Wed Feb 9 21:42:04 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
Message-ID: <200502092045.54635.adam00f@ducksburg.com>
I compiled and installed GnuPG 1.4.0. Everything works except interaction
with keyservers. When I use --send-key, --recv-key or --refresh, it
always fails thus:
$ gpg -v --recv-key F09BDAD5
gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu
gpg: unable to execute program `gpgkeys_hkp': Permission denied
gpg: keyserver internal error
gpg: keyserver receive failed: keyserver error
How do I fix this?
Thanks,
Adam
From adam00f at ducksburg.com Wed Feb 9 21:58:03 2005
From: adam00f at ducksburg.com (Adam Funk)
Date: Wed Feb 9 21:54:13 2005
Subject: Are all the UIDs on a key supposed to be equal?
Message-ID: <200502092058.04060.adam00f@ducksburg.com>
Erwan David:
> You can also revoke uids on your key; which indicates juste a
> change of address, but you keep being the same person. If you look
> at my key (0xF7001FC7 on public servers), you see it bears
> following Ids:
I added a UID, revoked another UID, and changed the primary UID, then the
key to the MIT keyserver. The keyserver's verbose listing includes the
new UID but doesn't indicate the revocation. Is that normal?
From swright at physics.adelaide.edu.au Wed Feb 9 22:01:31 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Wed Feb 9 21:58:11 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <200502092045.54635.adam00f@ducksburg.com>
References: <200502092045.54635.adam00f@ducksburg.com>
Message-ID: <20050209210131.GE13440@anl.gov>
G'day Adam,
* Adam Funk [050209 14:52]:
> I compiled and installed GnuPG 1.4.0. Everything works except interaction
> with keyservers. When I use --send-key, --recv-key or --refresh, it
> always fails thus:
>
> $ gpg -v --recv-key F09BDAD5
> gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu
> gpg: unable to execute program `gpgkeys_hkp': Permission denied
> gpg: keyserver internal error
> gpg: keyserver receive failed: keyserver error
>
> How do I fix this?
I had the same problem. For some reason GnuPG wants these gpgkey_*
files in /usr/libexec/gnupg/, but they are installed in /usr/libexec
Just symlink them (*) and then submit a bug report - I was and still
am too lazy to do it myself.
Cheers,
S.
(*) For completeness something like this should work...
cd /usr/libexec/gnupg/
ln -s ../gpgkey_*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050209/696b2ebf/attachment.pgp
From jharris at widomaker.com Wed Feb 9 22:14:51 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 9 22:11:03 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209203257.GB13550@jabberwocky.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
<20050209203257.GB13550@jabberwocky.com>
Message-ID: <20050209211450.GM3466@wilma.widomaker.com>
On Wed, Feb 09, 2005 at 03:32:57PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote:
> > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF
> > on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com
> > will incorrectly serve the unrevoked version of the key for the next
> > 6 months.
>
> Yes. I don't think this is the best design. I understand the desire
> to keep revoked keys off of the GD, but it's not clear what to do in
> this case (an unrevoked key on the GD is suddenly revoked).
It needs only to verify the revocation and remove the key immediately.
> Drop the key immediately? Accept the revocation and then drop the key
> after some time has gone by? I rather like the idea of accepting the
> revocation, and then immediately causing the key to need to be
> reverified by the user (as if their 6 month time on the GD was up).
> This way the user knows what happened, and doing nothing causes the
> key to fall out of the GD.
The key was revoked by the keyholder, so it cannot be re-added to the
GD unless its revocation certificate is removed. This is very simple
to do with a tool like gpgsplit, and is therefore an easy attack to
perpetrate against the GD and keyholders of revoked keys. (I classify
it as an attack because it gets the GD to send confirmation emails for
"useless" keys, anyone answering the unencrypted challenges causes the
GD to store "useless" keys, etc.)
This also applies to expired (v4) keys, as long as at least one (earlier)
selfsig didn't expire the key.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/fcd1584e/attachment.pgp
From dshaw at jabberwocky.com Wed Feb 9 22:18:32 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 22:15:14 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <20050209210131.GE13440@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
Message-ID: <20050209211832.GD13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 03:01:31PM -0600, Stewart V. Wright wrote:
> G'day Adam,
>
> * Adam Funk [050209 14:52]:
> > I compiled and installed GnuPG 1.4.0. Everything works except interaction
> > with keyservers. When I use --send-key, --recv-key or --refresh, it
> > always fails thus:
> >
> > $ gpg -v --recv-key F09BDAD5
> > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu
> > gpg: unable to execute program `gpgkeys_hkp': Permission denied
> > gpg: keyserver internal error
> > gpg: keyserver receive failed: keyserver error
> >
> > How do I fix this?
>
> I had the same problem. For some reason GnuPG wants these gpgkey_*
> files in /usr/libexec/gnupg/, but they are installed in /usr/libexec
>
> Just symlink them (*) and then submit a bug report - I was and still
> am too lazy to do it myself.
If you don't mention bugs, they can never be fixed.
What configure command line did you use originally? Did you use
--prefix or something similar?
David
From torduninja at mail.pf Wed Feb 9 22:20:23 2005
From: torduninja at mail.pf (Maxine Brandt)
Date: Wed Feb 9 22:21:52 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
Message-ID: <420A7E97.2070907@mail.pf>
Gregor Zattler wrote:
>> Try '.\gpg --help'
>>
>> 'gpg --help' will search the PATH
>>
>> '.\gpg --help' looks in the current directory
>>
>> BTW, --version serves the same purpose without generating as much output
>> and also has some helpful info
> Did it: same problem.
The reason for your problem is that under w'98 the SHGetFolderPath is found in
shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this
particularity. The issue has been reported on the gnupg-devel list:
http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2
Salut
Maxine
--
OpenPGP keys: http://www.torduninja.tk
From dshaw at jabberwocky.com Wed Feb 9 22:25:48 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 22:22:30 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209211450.GM3466@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
<20050209203257.GB13550@jabberwocky.com>
<20050209211450.GM3466@wilma.widomaker.com>
Message-ID: <20050209212548.GE13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote:
> On Wed, Feb 09, 2005 at 03:32:57PM -0500, David Shaw wrote:
> > On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote:
>
> > > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF
> > > on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com
> > > will incorrectly serve the unrevoked version of the key for the next
> > > 6 months.
> >
> > Yes. I don't think this is the best design. I understand the desire
> > to keep revoked keys off of the GD, but it's not clear what to do in
> > this case (an unrevoked key on the GD is suddenly revoked).
>
> It needs only to verify the revocation and remove the key immediately.
Well, that's one possible answer. Why don't you suggest it to the GD
people?
> The key was revoked by the keyholder, so it cannot be re-added to the
> GD unless its revocation certificate is removed. This is very simple
> to do with a tool like gpgsplit, and is therefore an easy attack to
> perpetrate against the GD and keyholders of revoked keys. (I classify
> it as an attack because it gets the GD to send confirmation emails for
> "useless" keys, anyone answering the unencrypted challenges causes the
> GD to store "useless" keys, etc.)
>
> This also applies to expired (v4) keys, as long as at least one (earlier)
> selfsig didn't expire the key.
Why go through a lot of bother to find an expired or revoked key which
you then manipulate into being acceptable? Just make a brand new key
with your victim's email address and submit that. It's the same
result.
David
From dshaw at jabberwocky.com Wed Feb 9 22:42:58 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 22:39:38 2005
Subject: Are all the UIDs on a key supposed to be equal?
In-Reply-To: <200502092058.04060.adam00f@ducksburg.com>
References: <200502092058.04060.adam00f@ducksburg.com>
Message-ID: <20050209214258.GF13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 08:58:03PM +0000, Adam Funk wrote:
> Erwan David:
>
> > You can also revoke uids on your key; which indicates juste a
> > change of address, but you keep being the same person. If you look
> > at my key (0xF7001FC7 on public servers), you see it bears
> > following Ids:
>
> I added a UID, revoked another UID, and changed the primary UID, then the
> key to the MIT keyserver. The keyserver's verbose listing includes the
> new UID but doesn't indicate the revocation. Is that normal?
I don't think the MIT keyserver shows revoked UIDs as being revoked.
David
From swright at physics.adelaide.edu.au Wed Feb 9 22:48:34 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Wed Feb 9 22:45:15 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <20050209211832.GD13550@jabberwocky.com>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
Message-ID: <20050209214834.GF13440@anl.gov>
G'day David,
* David Shaw [050209 15:27]:
> If you don't mention bugs, they can never be fixed.
Mea culpa.
> What configure command line did you use originally? Did you use
> --prefix or something similar?
I'm not sure what Adam did, but I just used the included .spec file to
create an rpm and installed that.
Oh, the .spec file is faulty too with regards installing the info
pages - and I know I reported that for 1.2.6:
http://marc.theaimsgroup.com/?l=gnupg-devel&m=109354656722315&w=2
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050209/66b65138/attachment.pgp
From jharris at widomaker.com Wed Feb 9 23:38:46 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 9 23:35:19 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209212548.GE13550@jabberwocky.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
<20050209203257.GB13550@jabberwocky.com>
<20050209211450.GM3466@wilma.widomaker.com>
<20050209212548.GE13550@jabberwocky.com>
Message-ID: <20050209223846.GN3466@wilma.widomaker.com>
On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote:
> > It needs only to verify the revocation and remove the key immediately.
>
> Well, that's one possible answer. Why don't you suggest it to the GD
> people?
If this isn't already self-evident to them...
> Why go through a lot of bother to find an expired or revoked key which
> you then manipulate into being acceptable? Just make a brand new key
> with your victim's email address and submit that. It's the same
> result.
For one thing, anyone who followed the GD FAQ and simply removed a key
from the GD without revoking it in their own keyring may be duped into
confirming the fingerprint of a key they once used and probably still
have. The key may or may not be expired, but their encryption client
definitely can't heed a revocation that was never generated.
For another, why waste good bytes out of /dev/random? Besides, the
game is mostly over if the victim must first import a totally unknown key.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/a1dd93d7/attachment.pgp
From gpg at jason.markley.name Wed Feb 9 23:45:24 2005
From: gpg at jason.markley.name (Jason Markley)
Date: Wed Feb 9 23:42:20 2005
Subject: revoking a UID
Message-ID: <420A9284.9070104@jason.markley.name>
When one revokes a UID to effectivly change addresses, how does that
affect the signatures that were on the key?
In other words...
1. Generate a key with uid1.
2. Get this key signed by your friends, etc.
3. Generate a new uid, uid2.
4. revoke the old uid, uid1.
Will your friends that signed your key origionally still see your key as
valid? Will they have to sign the new uid in order to have your key be
valid again? What are the security implications of having your friends
still see your key as valid when you've revoked the uid that they signed?
Thoughts are much appreciated.
-Jason
From JPClizbe at comcast.net Wed Feb 9 23:47:00 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Wed Feb 9 23:43:46 2005
Subject: gnupg windows, per user homedir on a terminal server
In-Reply-To: <420A3C4F.4000604@nbmc.de>
References: <420A3C4F.4000604@nbmc.de>
Message-ID: <420A92E4.2010603@comcast.net>
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 434 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050209/3720988f/signature-0001.pgp
From dshaw at jabberwocky.com Wed Feb 9 23:53:47 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 9 23:50:30 2005
Subject: revoking a UID
In-Reply-To: <420A9284.9070104@jason.markley.name>
References: <420A9284.9070104@jason.markley.name>
Message-ID: <20050209225347.GH13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 05:45:24PM -0500, Jason Markley wrote:
> When one revokes a UID to effectivly change addresses, how does that
> affect the signatures that were on the key?
>
>
> In other words...
>
> 1. Generate a key with uid1.
> 2. Get this key signed by your friends, etc.
> 3. Generate a new uid, uid2.
> 4. revoke the old uid, uid1.
>
> Will your friends that signed your key origionally still see your key as
> valid?
No.
> Will they have to sign the new uid in order to have your key be
> valid again?
Yes.
> What are the security implications of having your friends still see
> your key as valid when you've revoked the uid that they signed?
None, since it doesn't happen ;)
What people generally call "signing a key" is really "signing a
key+uid". If you revoke a uid, then those signatures are no longer
meaningful.
David
From JPClizbe at comcast.net Thu Feb 10 00:25:53 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Thu Feb 10 00:22:45 2005
Subject: gnupg windows, per user homedir on a terminal server
In-Reply-To: <420A92E4.2010603@comcast.net>
References: <420A3C4F.4000604@nbmc.de> <420A92E4.2010603@comcast.net>
Message-ID: <420A9C01.1080906@comcast.net>
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 434 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050209/4ec221b8/signature.pgp
From dshaw at jabberwocky.com Thu Feb 10 00:29:28 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 10 00:26:19 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209223846.GN3466@wilma.widomaker.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
<20050209203257.GB13550@jabberwocky.com>
<20050209211450.GM3466@wilma.widomaker.com>
<20050209212548.GE13550@jabberwocky.com>
<20050209223846.GN3466@wilma.widomaker.com>
Message-ID: <20050209232928.GI13550@jabberwocky.com>
On Wed, Feb 09, 2005 at 05:38:46PM -0500, Jason Harris wrote:
> On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote:
> > On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote:
>
> > > It needs only to verify the revocation and remove the key immediately.
> >
> > Well, that's one possible answer. Why don't you suggest it to the GD
> > people?
>
> If this isn't already self-evident to them...
Maybe it is, and maybe it isn't. If you just want to complain, then I
guess you're all set. If you want something actually fixed you should
tell them.
> > Why go through a lot of bother to find an expired or revoked key which
> > you then manipulate into being acceptable? Just make a brand new key
> > with your victim's email address and submit that. It's the same
> > result.
>
> For one thing, anyone who followed the GD FAQ and simply removed a key
> from the GD without revoking it in their own keyring may be duped into
> confirming the fingerprint of a key they once used and probably still
> have. The key may or may not be expired, but their encryption client
> definitely can't heed a revocation that was never generated.
That sounds like a lot of 'ifs' to me. Sure, if you can dupe them
into doing something stupid, and if that key had been revoked before,
and if they then removed it from the GD, and if they had forgotten
they had done so, then maybe you have an attack?
It's always possible to come up with an attack if you get to use
enough 'ifs'.
David
From JPClizbe at comcast.net Thu Feb 10 00:32:04 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Thu Feb 10 00:29:00 2005
Subject: gnupg windows, per user homedir on a terminal server
In-Reply-To: <420A9C01.1080906@comcast.net>
References: <420A3C4F.4000604@nbmc.de> <420A92E4.2010603@comcast.net>
<420A9C01.1080906@comcast.net>
Message-ID: <420A9D74.1090601@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Clizbe wrote:
> John Clizbe wrote:
>> Alexander Bien wrote:
>>> hello folks,
>
> Let's try that attachment one more time.
Sorry, PGP/MIME is base-64 encoding the text file. Should've just pasted
it in to begin with.
Time to go for a walk
+++++
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\GNU\GNUPG]
"gpgProgram"="C:\\Program Files\\Gnu\\GnuPG\\gpg.exe"
"HomeDir"=hex(2):25,00,41,00,50,00,50,00,44,00,41,00,54,00,41,00,25,00,5c,00,\
47,00,6e,00,75,00,50,00,47,00,00,00
"Install Directory"="C:\\Program Files\\GNU\\GnuPG"
+++++
- --
John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet
Golden Bear Networks PGP/GPG KeyID: 0x608D2A10
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the ?33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCCp1zHQSsSmCNKhARAqrXAKC4ZPBODYtWTheSqUYE66278E1rDgCeID4u
WxG3og4zhbRCkQ6v/9A11as=
=aNkF
-----END PGP SIGNATURE-----
From jharris at widomaker.com Thu Feb 10 02:25:42 2005
From: jharris at widomaker.com (Jason Harris)
Date: Thu Feb 10 02:21:59 2005
Subject: GD doesn't always accept revocations
In-Reply-To: <20050209232928.GI13550@jabberwocky.com>
References: <20050209193319.GK3466@wilma.widomaker.com>
<20050209195358.GE13201@jabberwocky.com>
<20050209200111.GA42975@wilma.widomaker.com>
<20050209202618.GL3466@wilma.widomaker.com>
<20050209203257.GB13550@jabberwocky.com>
<20050209211450.GM3466@wilma.widomaker.com>
<20050209212548.GE13550@jabberwocky.com>
<20050209223846.GN3466@wilma.widomaker.com>
<20050209232928.GI13550@jabberwocky.com>
Message-ID: <20050210012542.GP3466@wilma.widomaker.com>
On Wed, Feb 09, 2005 at 06:29:28PM -0500, David Shaw wrote:
> On Wed, Feb 09, 2005 at 05:38:46PM -0500, Jason Harris wrote:
> > If this isn't already self-evident to them...
>
> Maybe it is, and maybe it isn't. If you just want to complain, then I
> guess you're all set. If you want something actually fixed you should
> tell them.
I wasn't complaining. I had a valid question about why the GD wasn't
accepting a 0x20 signature and we had a productive conversation about it.
I think this particular keyholder DTRT by sending their revoked key to
a keyserver that would accept it, and I hope more people read this thread
and come to the same conclusion.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050209/dd7e66ac/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 10 04:36:06 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 10 04:32:56 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <20050209214834.GF13440@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
Message-ID: <20050210033606.GC13965@jabberwocky.com>
On Wed, Feb 09, 2005 at 03:48:34PM -0600, Stewart V. Wright wrote:
> G'day David,
>
> * David Shaw [050209 15:27]:
> > If you don't mention bugs, they can never be fixed.
>
> Mea culpa.
>
>
> > What configure command line did you use originally? Did you use
> > --prefix or something similar?
>
> I'm not sure what Adam did, but I just used the included .spec file to
> create an rpm and installed that.
>
> Oh, the .spec file is faulty too with regards installing the info
> pages - and I know I reported that for 1.2.6:
>
> http://marc.theaimsgroup.com/?l=gnupg-devel&m=109354656722315&w=2
Try this spec file. If it works for you, I'll put it in 1.4.1. It
works ok on a FC3 box here.
David
-------------- next part --------------
#
# gnupg -- gnu privacy guard
# This is a template. The dist target uses it to create the real file.
#
%define version 1.4.1rc1
%define name gnupg
Summary: GNU Utility for data encryption and digital signatures
Summary(it): Utility GNU per la sicurezza nelle comunicazioni e nell'archiviazione dei dati.
Summary(cs): GNU n?stroj pro ?ifrovanou komunikaci a bezpe?n? ukl?d?n? dat
Summary(fr): Utilitaire GNU de chiffrement et d'authentification des communications et des donn?es
Summary(pl): Narzedzie GNU do szyfrowania i podpisywania danych
Vendor: GNU Privacy Guard Project
Name: %{name}
Version: %{version}
Release: 1
Copyright: GPL
Group: Applications/Cryptography
Group(cs): Aplikace/?ifrov?n?
Group(fr): Applications/Cryptographie
Group(it): Applicazioni/Crittografia
Source: ftp://ftp.gnupg.org/gcrypt/gnupg/%{name}-%{version}.tar.gz
URL: http://www.gnupg.org/
Provides: gpg openpgp
Requires(post,preun): /sbin/install-info
BuildRoot: %{_tmppath}/rpmbuild_%{name}-%{version}
%changelog
* Wed Jul 30 2003 David Shaw
- Rework much of the spec to use %-macros throughout.
- Fix to work properly with RPM 4.1 (all files in buildroot must be packaged)
- Package and install info files.
- Tweak the English description.
- There is no need to install gpgv and gpgsplit setuid root.
* Sat Nov 30 2002 David Shaw
- Add convert-from-106 script
* Sat Oct 26 2002 David Shaw
- Use new path for keyserver helpers.
- /usr/lib is no longer used for cipher/hash plugins.
- Include gpgv, gpgsplit, and the new gnupg.7 man page.
* Fri Apr 19 2002 David Shaw
- Removed OPTIONS and pubring.asc - no longer used
- Added doc/samplekeys.asc
* Sun Mar 31 2002 David Shaw
- Added the gpgkeys_xxx keyserver helpers.
- Added a * to catch variations on the basic gpg man page (gpg, gpgv).
- Mark options.skel as a config file.
- Do not include the FAQ/faq.html twice (in /doc/ and /share/).
* Wed Sep 06 2000 Fabio Coatti
- Added Polish description and summary (Kindly provided by
Lukasz Stelmach )
* Thu Jul 13 2000 Fabio Coatti
- Added a * to catch all formats for man pages (plain, gz, bz2...)
* Mon May 01 2000 Fabio Coatti
- Some corrections in French description, thanks to Ga?l Qu?ri
; Some corrections to Italian descriptions.
* Tue Apr 25 2000 Fabio Coatti
- Removed the no longer needed patch for man page by Keith Owens
* Wed Mar 1 2000 Petr Kri?tof
- Czech descriptions added; some fixes and updates.
* Sat Jan 15 2000 Keith Owens
- Add missing man page as separate patch instead of updating the tar file.
* Mon Dec 27 1999 Fabio Coatti
- Upgraded for 1.0.1 (added missing gpg.1 man page)
* Sat May 29 1999 Fabio Coatti
- Some corrections in French description, thanks to Ga?l Qu?ri
* Mon May 17 1999 Fabio Coatti
- Added French description, provided by
Christophe Labouisse
* Thu May 06 1999 Fabio Coatti
- Upgraded for 0.9.6 (removed gpgm)
* Tue Jan 12 1999 Fabio Coatti
- LINGUAS variable is now unset in configure to ensure that all languages will be built. (Thanks to Luca Olivetti )
* Sat Jan 02 1999 Fabio Coatti
- Added pl language file.
- Included g10/pubring.asc in documentation files.
* Sat Dec 19 1998 Fabio Coatti
- Modified the spec file provided by Caskey L. Dickson
- Now it can be built also by non-root. Installation has to be done as
root, gpg is suid.
- Added some changes by Ross Golder
- Updates for version 0.4.5 of GnuPG (.mo files)
%description
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC-2440. Since GnuPG doesn't use any patented
algorithms, it is not compatible with some versions of PGP 2 which use
only the patented IDEA algorithm. See
http://www.gnupg.org/why-not-idea.html for information on using IDEA
if the patent does not apply to you and you need to be compatible with
these versions of PGP 2.
%description -l it
GnuPG (GNU Privacy Guard) ? una utility GNU per la cifratura di dati e
la creazione di firme digitali. Possiede una gestione avanzata delle
chiavi ed ? conforme allo standard Internet OpenPGP, descritto nella
RFC 2440. Non utilizzando algoritmi brevettati, non ? compatibile con
PGP2 (PGP2.x usa solo IDEA, coperto da brevetto mondiale, ed RSA,
brevettato negli USA con scadenza 20/09/2000). Questi algoritmi sono
utilizzabili da GnuPG tramite moduli esterni.
%description -l fr
GnuPG est un utilitaire GNU destin? ? chiffrer des donn?es et ? cr?er
des signatures ?lectroniques. Il a des capacit?s avanc?es de gestion de
cl?s et il est conforme ? la norme propos?e OpenPGP d?crite dans la
RFC2440. Comme GnuPG n'utilise pas d'algorithme brevet?, il n'est
compatible avec aucune version de PGP2 (PGP2.x ne sait utiliser que
l'IDEA brevet? dans le monde entier et RSA, brevet? aux ?tats-Unis
jusqu'au 20 septembre 2000).
%description -l cs
GnuPG je GNU n?stroj pro bezpe?nou komunikaci a ukl?d?n? dat. M??e b?t
pou?it na ?ifrov?n? dat a vytv??en? digit?ln?ch podpis?. Obsahuje
funkce pro pokro?ilou spr?vu kl??? a vyhovuje navrhovan?mu OpenPGP
Internet standardu podle RFC2440. Byl vytvo?en jako kompletn?
n?hrada za PGP. Proto?e neobsahuje ?ifrovac? algoritmy IDEA nebo RSA,
m??e b?t pou??v?n bez omezen?.
Proto?e GnuPG nepou??v? ??dn? patentovan? algoritmus, nem??e b?t ?pln?
kompatibiln? s PGP verze 2. PGP 2.x pou??v? algoritmy IDEA (patentov?no
celosv?tov?) a RSA (patentov?no ve Spojen?ch st?tech do 20. z???
2000). Tyto algoritmy lze zav?st do GnuPG pomoc? extern?ch modul?.
%description -l pl
GnuPG (GNU Privacy Guard) jest nazedziem do szfrowania danych i tworzenia
cyfrowych podpis?w. GnuPG posiada zaawansowane mozliwosci obslugi kluczy
i jest zgodne z OpenPGP, proponowanym standardem internetowym opisanym
w RFC2440. Poniewaz GnuPG nie uzywa zadnych opatentowanych algorytm?w
nie jest wiec zgodne z jaka kolwiek wersja PGP2 (PGP2.x kozysta jedynie
z algorytm?w: IDEA, opatentowanego na calym swiecie, oraz RSA, kt?rego
patent na terenie Stan?w Zjednoczonych wygasa 20 wrzesnia 2000).
%prep
rm -rf $RPM_BUILD_ROOT
%setup
%build
if test -n "$LINGUAS"; then
unset LINGUAS
fi
%configure --program-prefix=%{?_program_prefix:%{_program_prefix}} \
--libexecdir=%{_libexecdir}/gnupg
make
%install
%makeinstall libexecdir=$RPM_BUILD_ROOT/%{_libexecdir}/gnupg
%find_lang %{name}
rm %{buildroot}%{_datadir}/%{name}/FAQ
rm %{buildroot}%{_datadir}/%{name}/faq.html
rm %{buildroot}%{_infodir}/dir
%files -f %{name}.lang
%defattr (-,root,root)
%doc INSTALL AUTHORS COPYING NEWS README THANKS TODO PROJECTS doc/DETAILS
%doc doc/FAQ doc/faq.html doc/HACKING doc/OpenPGP doc/samplekeys.asc
%doc %attr (0755,root,root) tools/convert-from-106
%config %{_datadir}/%{name}/options.skel
%{_mandir}/man1/*
%{_mandir}/man7/*
%{_infodir}/gpg.info*
%{_infodir}/gpgv.info*
%attr (4755,root,root) %{_bindir}/gpg
%attr (0755,root,root) %{_bindir}/gpgv
%attr (0755,root,root) %{_bindir}/gpgsplit
%attr (0755,root,root) %{_libexecdir}/gnupg/*
%post
/sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || :
/sbin/install-info %{_infodir}/gpgv.info %{_infodir}/dir 2>/dev/null || :
%preun
if [ $1 = 0 ]; then
/sbin/install-info --delete %{_infodir}/gpg.info \
%{_infodir}/dir 2>/dev/null || :
/sbin/install-info --delete %{_infodir}/gpgv.info \
%{_infodir}/dir 2>/dev/null || :
fi
%clean
rm -rf $RPM_BUILD_ROOT
rm -rf $RPM_BUILD_DIR/%{name}-%{version}
From swp5jhu02 at sneakemail.com Wed Feb 9 15:45:00 2005
From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=)
Date: Thu Feb 10 10:40:49 2005
Subject: 1.4.0: Howto verify a signed file quickly - without
any --homedir...
In-Reply-To: <20050208141057.GA10444@jabberwocky.com>
References: <42088D30.1060800@sneakemail.com>
<20050208141057.GA10444@jabberwocky.com>
Message-ID: <420A21EC.9040800@sneakemail.com>
David Shaw dshaw-at-jabberwocky.com |Lists| wrote:
> It sounds like you are looking for gpgv, which comes with GnuPG. It
> does just what you want - verifies files and nothing else.
YES!
# gpgv --keyring /my/key.ring /some/file
Does the trick! Thanks!
Peter
--
Peter Valdemar M?rch
http://www.morch.com
From texmex at uni.de Thu Feb 10 14:29:56 2005
From: texmex at uni.de (Gregor Zattler)
Date: Thu Feb 10 14:26:42 2005
Subject: didn't help either (was: Re: it's not a PATH problem )
In-Reply-To: <420A7E97.2070907@mail.pf>
References: <420A7E97.2070907@mail.pf>
Message-ID: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de>
Hi Maxine,
* Maxine Brandt [09. Feb. 2005]:
> Gregor Zattler wrote:
> >> Try '.\gpg --help'
> >>
> >> 'gpg --help' will search the PATH
> >>
> >> '.\gpg --help' looks in the current directory
> >>
> >> BTW, --version serves the same purpose without generating as much output
> >> and also has some helpful info
>
>
> > Did it: same problem.
>
> The reason for your problem is that under w'98 the SHGetFolderPath is found in
> shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this
> particularity. The issue has been reported on the gnupg-devel list:
>
> http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2
"my" shfolder.dll is version 5.00.2919.200 and
$ grep -i SHGetFolderPath SHFOLDER.DLL
Binary file SHFOLDER.DLL matches
Gregor
From rhea102075 at yahoo.com Thu Feb 10 15:37:09 2005
From: rhea102075 at yahoo.com (Rhea Felipe)
Date: Thu Feb 10 16:27:10 2005
Subject: Help with Encryption.
Message-ID: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com>
Hi, Im new to GnuPG and email encryption. A friend of
mind sent me a public key (0x123ABCD5) and he wants me
to encrypt my emails for him.
How do I do this?
I am using Enigmail with Mozilla Thunderbird Ver. 0.8
thanks.
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
From wk at gnupg.org Thu Feb 10 17:15:12 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 10 17:15:56 2005
Subject: didn't help either
In-Reply-To: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> (Gregor
Zattler's message of "Thu, 10 Feb 2005 14:29:56 +0100")
References: <420A7E97.2070907@mail.pf>
<20050210132956.GF15215@pit.ID-43118.user.dfncis.de>
Message-ID: <87y8dwpf1r.fsf@wheatstone.g10code.de>
On Thu, 10 Feb 2005 14:29:56 +0100, Gregor Zattler said:
> "my" shfolder.dll is version 5.00.2919.200 and
meanwhile this has changed in the CVS. We first try to find the
fucntion in shell32 and if this fails in shfolder. If this all does
not work, no application specific data is used and we fall back to
HKCU, HKLM and finally to c:\gnupg. I posted a patch to gnupg-devel@
recently.
Salam-Shalom,
Werner
From wk at gnupg.org Thu Feb 10 17:19:29 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 10 17:16:10 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <420A251B.6050406@iotest.org> (mconahan@iotest.org's message of
"Wed, 09 Feb 2005 09:58:35 -0500")
References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net>
<41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org>
<87sm46yxzk.fsf@wheatstone.g10code.de> <420A251B.6050406@iotest.org>
Message-ID: <87u0okpeum.fsf@wheatstone.g10code.de>
On Wed, 09 Feb 2005 09:58:35 -0500, mconahan@iotest org said:
> GnuPG options "--homedir", "--keyring", "--no-default-keyring", and
> "--secret-keyring" for a context (at a minmum I need the use of the
> latter three)?
No. We won't even support --keyring in the future because the concept
of a keyring may change over time. The only configuration which makes
sense is a different homedir.
> If there is not a way 'out of the box', where in the GPGME source
> would I have to add the above GnuPG arguments, in order to have them
> sent to GnuPG along with the rest of the arguments already specified
> in the context? Would it be the function "build_argv" in rungpg.c?
This should work for you, however there is no guantee that this will
work in the future. Better plan ahead and make use of different
Homedirs than to switch keyrings. One goal of gpgme is to hide the
actual implementation of the engine and the keyring is such a thing.
Even the notation of a homedir might eventually be different between
gpgme and a backend engine (i.e. gpg).
Shalom-Salam,
Werner
From sk at intertivity.com Thu Feb 10 17:33:06 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 10 17:29:11 2005
Subject: didn't help either
In-Reply-To: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de>
References: <420A7E97.2070907@mail.pf>
<20050210132956.GF15215@pit.ID-43118.user.dfncis.de>
Message-ID: <420B8CC2.4020102@intertivity.com>
Yes, but your version of gpg doesn't know that the function is not
located in shell32.dll but in shfolder.dll
Gregor Zattler schrieb:
>Hi Maxine,
>* Maxine Brandt [09. Feb. 2005]:
>
>
>>Gregor Zattler wrote:
>>
>>
>>>>Try '.\gpg --help'
>>>>
>>>>'gpg --help' will search the PATH
>>>>
>>>>'.\gpg --help' looks in the current directory
>>>>
>>>>BTW, --version serves the same purpose without generating as much output
>>>>and also has some helpful info
>>>>
>>>>
>>
>>
>>>Did it: same problem.
>>>
>>>
>>The reason for your problem is that under w'98 the SHGetFolderPath is found in
>>shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this
>>particularity. The issue has been reported on the gnupg-devel list:
>>
>>http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2
>>
>>
>
>"my" shfolder.dll is version 5.00.2919.200 and
>$ grep -i SHGetFolderPath SHFOLDER.DLL
>Binary file SHFOLDER.DLL matches
>
>Gregor
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
From sk at intertivity.com Thu Feb 10 17:51:50 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 10 17:48:01 2005
Subject: Changing the password of a secret key
Message-ID: <420B9126.9030606@intertivity.com>
hi.
tried to change a password of a secret key by calling gpg from a program.
Here the way i tried it. Created a file named "uhu". It looks like this:
passwd
uhu
test
save
where uhu is the old-password and test the newpassword.
Then i called gpg:
gpg.exe --status-fd 1 --command-fd 0 --edit-key mustermann < uhu
The output is the following:
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
Key is protected.
[GNUPG:] USERID_HINT DB6D141403B8E2E8 Max Musterman
[GNUPG:] NEED_PASSPHRASE DB6D141403B8E2E8 DB6D141403B8E2E8 1 0
You need a passphrase to unlock the secret key for
user: "Max Musterman "
1024-bit RSA key, ID 03B8E2E8, created 2005-02-04
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] GOOD_PASSPHRASE
Enter the new passphrase for this secret key.
[GNUPG:] NEED_PASSPHRASE_SYM 3 3 2
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
[GNUPG:] GET_BOOL keyedit.save.okay
[GNUPG:] GOT_IT
Too me it looks pretty good but that password remained unchanged!
Any hints on that?
Thank you!
From wk at gnupg.org Thu Feb 10 18:55:32 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 10 18:55:55 2005
Subject: Changing the password of a secret key
In-Reply-To: <420B9126.9030606@intertivity.com> (Sascha Kiefer's message of
"Thu, 10 Feb 2005 17:51:50 +0100")
References: <420B9126.9030606@intertivity.com>
Message-ID: <878y5wpaej.fsf@wheatstone.g10code.de>
On Thu, 10 Feb 2005 17:51:50 +0100, Sascha Kiefer said:
> [GNUPG:] GET_LINE keyedit.prompt
> [GNUPG:] GOT_IT
You send "save" here.
> [GNUPG:] GET_BOOL keyedit.save.okay
> [GNUPG:] GOT_IT
But you missed to send "y" here. It takes the EOF as the default "N"
and then exists due to the EOF.
Werner
From jediknight2 at ec.rr.com Thu Feb 10 18:35:36 2005
From: jediknight2 at ec.rr.com (jediknight2)
Date: Thu Feb 10 19:10:36 2005
Subject: Specify output directory during encrypt
Message-ID: <8975622.1108056936015.JavaMail.Administrator@ATP2>
Is there a way to specify where to output files during the encryption
process...for instance if I have files in C:\Testing that I want to encrypt
using --multifile and want the encrypted files in C:\Output..can gpg do that
directly or am I going to have to use a DOS move command??
From ms419 at freezone.co.uk Thu Feb 10 18:41:55 2005
From: ms419 at freezone.co.uk (ms419@freezone.co.uk)
Date: Thu Feb 10 19:19:08 2005
Subject: "http" & "finger" keyserver schemes
In-Reply-To: <20050207131930.GA29857@jabberwocky.com>
References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
<20050207131930.GA29857@jabberwocky.com>
Message-ID: <20050210174155.GA21347@fis.lat>
On Mon, Feb 07, 2005 at 08:19:30AM -0500, David Shaw wrote:
> On Sun, Feb 06, 2005 at 08:52:00PM -0800, ms419@freezone.co.uk wrote:
> > I don't get how to receive keys using using the "http" & "finger"
> > keyserver schemes.
> >
> > I tried some variations on -
> >
> >
> > gpg --keyserver finger:wk@g10code.com --recv-keys
> >
> > gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc"
> > --recv-keys
> >
> >
> > - but nothing I tried worked. Receiving keys from "ldap" or "hkp"
> > keyservers is no problem -
> >
> >
> > gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie
> >
> > gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell
> >
> >
> > Frustratingly, I couldn't find examples on the web or in the
> > documentation of using "http" or "finger" keyserver schemes. Can anyone
> > help?
>
> http and finger schemes are most useful for putting in preferred
> keyserver URLs so the key can be automatically refreshed. They're not
> really intended for use on the command line, but it's possible to fool
> the system into working on the command line by doing something like:
>
> gpg --keyserver finger:the_finger@example.com --recv-keys 99999999
>
> i.e. "receive key 99999999 from finger:the_finger@example.com". The
> key that arrives probably won't be 99999999, but it'll arrive anyway.
IC - thanks for the excellent information, David & Nicolas!
I added a "sig-keyserver-url" & "keyserver-options auto-key-retrieve" to
my gpg.conf, & sure enough! verifying data signatures retrieves my
key from my preferred keyserver, if it's absent -
I also tried signing a friend's key, but either key signing doesn't
include my "sig-keyserver-url", or I'm not correctly verifying the
signature - "gpg --keyserver-options auto-key-retrieve --list-options
show-keyserver-urls --check-sigs" doesn't retrieve the key with which I
signed my friend's key, if it's absent.
More insight?
Thanks!
Jack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050210/b5589b0d/attachment.pgp
From mconahan at iotest.org Thu Feb 10 20:29:39 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Thu Feb 10 20:25:57 2005
Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME?
In-Reply-To: <87u0okpeum.fsf@wheatstone.g10code.de>
References: <41F55EEF.7020301@iotest.org>
<41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org>
<42091012.7080206@iotest.org> <87sm46yxzk.fsf@wheatstone.g10code.de>
<420A251B.6050406@iotest.org>
<87u0okpeum.fsf@wheatstone.g10code.de>
Message-ID: <420BB623.4080509@iotest.org>
Werner Koch wrote:
>On Wed, 09 Feb 2005 09:58:35 -0500, mconahan@iotest org said:
>
>
>
>>GnuPG options "--homedir", "--keyring", "--no-default-keyring", and
>>"--secret-keyring" for a context (at a minmum I need the use of the
>>latter three)?
>>
>>
>
>No. We won't even support --keyring in the future because the concept
>of a keyring may change over time. The only configuration which makes
>sense is a different homedir.
>
>
>
>>If there is not a way 'out of the box', where in the GPGME source
>>would I have to add the above GnuPG arguments, in order to have them
>>sent to GnuPG along with the rest of the arguments already specified
>>in the context? Would it be the function "build_argv" in rungpg.c?
>>
>>
>
>This should work for you, however there is no guantee that this will
>work in the future. Better plan ahead and make use of different
>Homedirs than to switch keyrings. One goal of gpgme is to hide the
>actual implementation of the engine and the keyring is such a thing.
>Even the notation of a homedir might eventually be different between
>gpgme and a backend engine (i.e. gpg).
>
>
>Shalom-Salam,
>
> Werner
>
>
>
>
Thanks for the feedback - understood.
From adam00f at ducksburg.com Thu Feb 10 20:39:15 2005
From: adam00f at ducksburg.com (Adam Funk)
Date: Thu Feb 10 20:35:23 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To:
References:
Message-ID: <200502101939.16126.adam00f@ducksburg.com>
> > I compiled and installed GnuPG 1.4.0. Everything works except
> > interaction with keyservers. When I use --send-key, --recv-key or
> > --refresh, it always fails thus:
> >
> > $ gpg -v --recv-key F09BDAD5
> > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu
> > gpg: unable to execute program `gpgkeys_hkp': Permission denied
> > gpg: keyserver internal error
> > gpg: keyserver receive failed: keyserver error
> >
> > How do I fix this?
>
> I had the same problem. For some reason GnuPG wants these gpgkey_*
> files in /usr/libexec/gnupg/, but they are installed in /usr/libexec
>
> Just symlink them (*) and then submit a bug report - I was and still
> am too lazy to do it myself.
Hmm. I found all those files in /usr/local/libexec/gnupg/ on my system,
but identified a related problem: the /usr/local/libexec
and /usr/local/libexec/gnupg directories were not world-executable.
"chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. Thanks
for pointing me in the right direction.
Is this a bug in the install?
From dshaw at jabberwocky.com Thu Feb 10 21:18:39 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 10 21:15:32 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <200502101939.16126.adam00f@ducksburg.com>
References:
<200502101939.16126.adam00f@ducksburg.com>
Message-ID: <20050210201839.GB781@jabberwocky.com>
On Thu, Feb 10, 2005 at 07:39:15PM +0000, Adam Funk wrote:
> > > I compiled and installed GnuPG 1.4.0. Everything works except
> > > interaction with keyservers. When I use --send-key, --recv-key or
> > > --refresh, it always fails thus:
> > >
> > > $ gpg -v --recv-key F09BDAD5
> > > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu
> > > gpg: unable to execute program `gpgkeys_hkp': Permission denied
> > > gpg: keyserver internal error
> > > gpg: keyserver receive failed: keyserver error
> > >
> > > How do I fix this?
> >
> > I had the same problem. For some reason GnuPG wants these gpgkey_*
> > files in /usr/libexec/gnupg/, but they are installed in /usr/libexec
> >
> > Just symlink them (*) and then submit a bug report - I was and still
> > am too lazy to do it myself.
>
> Hmm. I found all those files in /usr/local/libexec/gnupg/ on my system,
> but identified a related problem: the /usr/local/libexec
> and /usr/local/libexec/gnupg directories were not world-executable.
> "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. Thanks
> for pointing me in the right direction.
>
> Is this a bug in the install?
GnuPG doesn't actually do the install. Rather, automake does. It
seems to take your umask into account when doing it through. What is
your umask?
David
From tv at beamnet.de Thu Feb 10 20:13:16 2005
From: tv at beamnet.de (Thomas Viehmann)
Date: Thu Feb 10 21:15:48 2005
Subject: GnuPG 1.2 encryption key selection with authentication keys
Message-ID: <420BB24C.6010807@beamnet.de>
Hi,
I've added a triple of subkeys on the OpenPGP card to my key, including
an authentication subkey. It seems that GnuPG 1.2 prefers this key for
encryption (and with gpg 1.2 I see encryption and signing as
capabilities), because I generated it last.
Is there a way to make GnuPG 1.2 prefer the actual encryption key by
default?
Kind regards and thanks in advance
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
From swright at physics.adelaide.edu.au Thu Feb 10 21:23:41 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Thu Feb 10 21:20:25 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <20050210033606.GC13965@jabberwocky.com>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
Message-ID: <20050210202341.GD29994@anl.gov>
G'day David,
Sorry about the delay in replying, work got in the way of fun!
* David Shaw [050209 21:43]:
> Try this spec file. If it works for you, I'll put it in 1.4.1. It
> works ok on a FC3 box here.
Sorry to say, but this still doesn't work on my FC2 box. :-(
Two problems:
1) The location of the gpgkeys_* files is still wrong.
2) The info "dir" file still doesn't get created.
CAVEAT: I modified the .spec file so that it tries to install the
1.4.0 release - I didn't try 1.4.1rc1 so the first problem might have
gone away... I will have a go with 1.4.1rc1 when I get some more
time.
Explanations
------------
1) File location problems.
This new spec file installs the gpgkeys_* in /usr/libexec/gnupg/ as
one would hope, but gpg looks for them in /usr/libexec/gnupg/gnupg/!
It looks like there is some doubling up of libexecdir in the spec file
and keyserver/Makefile.am... libexecdir in keyserver/Makefile.am is
defined as @libexecdir@/@PACKAGE@ which would give the extra layer of
gnupg causing the problem.
I'll leave the fix as an exercise for the reader! ;-)
2) info "dir" file.
I'm not entirely sure that it isn't user error, but I can build RPMs
from pretty much everything else without problems. :-(
The error I still get from (rpmbuild -bb gnucash.spec) is the
following:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[SNIP]
make[2]: Nothing to be done for `install-data-am'.
make[2]: Leaving directory `/tmp/fedora/tmp/gnupg-1.4.0'
make[1]: Leaving directory `/tmp/fedora/tmp/gnupg-1.4.0'
+ /usr/lib/rpm/redhat/find-lang.sh /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0 gnupg
+ rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/gnupg/FAQ
+ rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/gnupg/faq.html
+ rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/info/dir
rm: cannot remove `/tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/info/dir': No such file or directory
error: Bad exit status from /tmp/fedora/tmp/rpm-tmp.2023 (%install)
RPM build errors:
Bad exit status from /tmp/fedora/tmp/rpm-tmp.2023 (%install)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When I comment out the "rm ..../info/dir" line from the spec file the
creation of the .rpm goes ahead successfully.
As I said, I'm not sure if this is the fault of something I'm doing,
or FC2, but GnuPG is the only code that seems to have this problem for
me.
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050210/1a317229/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 10 21:46:12 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 10 21:43:01 2005
Subject: GnuPG 1.2 encryption key selection with authentication keys
In-Reply-To: <420BB24C.6010807@beamnet.de>
References: <420BB24C.6010807@beamnet.de>
Message-ID: <20050210204612.GC781@jabberwocky.com>
On Thu, Feb 10, 2005 at 08:13:16PM +0100, Thomas Viehmann wrote:
> Hi,
>
> I've added a triple of subkeys on the OpenPGP card to my key, including
> an authentication subkey. It seems that GnuPG 1.2 prefers this key for
> encryption (and with gpg 1.2 I see encryption and signing as
> capabilities), because I generated it last.
> Is there a way to make GnuPG 1.2 prefer the actual encryption key by
> default?
Upgrade. This was a bug fixed in GnuPG 1.2.7.
David
From swright at physics.adelaide.edu.au Thu Feb 10 23:58:05 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Thu Feb 10 23:54:54 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <20050210202341.GD29994@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov>
Message-ID: <20050210225805.GF29994@anl.gov>
G'day David,
Second thoughts on the RPM problem...
> 1) File location problems.
>
> This new spec file installs the gpgkeys_* in /usr/libexec/gnupg/ as
> one would hope, but gpg looks for them in /usr/libexec/gnupg/gnupg/!
I've just remembered that I can get 1.4.0 to install in a non-standard
directory and it works fine (just compiling by hand), so this
definitely looks like a problem with the arguments to configure and
make in the .spec file. *NOT* a problem with keyserver/Makefile.am
like I suggested before. I'll claim that it was a lack of coffee that
caused my mistake!
I'll have a play around with the spec file and make some more
suggestions over the next few days.
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050210/ab931395/attachment.pgp
From JPClizbe at comcast.net Fri Feb 11 00:08:15 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Fri Feb 11 00:05:00 2005
Subject: Help with Encryption.
In-Reply-To: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com>
References: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com>
Message-ID: <420BE95F.3080609@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rhea Felipe wrote:
> Hi, Im new to GnuPG and email encryption. A friend of
> mind sent me a public key (0x123ABCD5) and he wants me
> to encrypt my emails for him.
>
> How do I do this?
>
> I am using Enigmail with Mozilla Thunderbird Ver. 0.8
If his email address is on one of the User IDs on the key, you simply
compose an email message to him and select to Encryptthe message, either
by toggling the key in the lower right of the message composition pane, or
by selecting Encrypt from the Enigmail pull-down menu in the same panel.
If his email address is does not match any UID, a key selection window
should popup so long as 'Display selection when necessary' is selected in
Enigmail's preferences. If this is the case, you may wish to define a key
selection rule for this recipient.
More Enigmail specific help is available at the Enigmail site,
http://enigmail.mozdev.org, and the enigmail mailing list,
enigmail@mozdev.org.
- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
GingerBear Consluting PGP/GPG KeyID: 0x608D2A10
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the ?33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCC+leHQSsSmCNKhARAoKQAJwPRX7iZUDKtiTXLrOKzG2sqjUBEACgx3dJ
AT/C/mFELDtJoUEkqf4f/mQ=
=gFHp
-----END PGP SIGNATURE-----
From finalcut at videotron.ca Thu Feb 10 23:21:17 2005
From: finalcut at videotron.ca (finalcut@videotron.ca)
Date: Fri Feb 11 00:22:36 2005
Subject: Trying gnupg with thebat!
Message-ID: <1456428286.20050210172117@videotron.ca>
Hello all,
I've just finished configuring thebat to work with GnuPG but when I enter my password it tells me that converting to utf-8 to CP0 is unavailable.
what is the problem?
Regards,
--
The FinalCut
finalcut@videotron.ca
Thebat: 3.0.2.10
From bill at cse.ucdavis.edu Thu Feb 10 23:22:42 2005
From: bill at cse.ucdavis.edu (Bill Broadley)
Date: Fri Feb 11 00:23:52 2005
Subject: GPG corruption
Message-ID: <20050210222242.GE17353@cse.ucdavis.edu>
This is with [root@csebeo v]# gpg --version
gpg (GnuPG) 1.2.1
I put 12 files into a .tar:
tar cvzf b.tar bp*
I encrypted them with a symmetric key:
gpg -c b.tar
The result was fairly large (this is running on an opteron running
redhat RHEL):
ls -alh b.tar.gpg
-rw-r--r-- 1 root root 4.1G Feb 1 23:25 b.tar.gpg
Now to decode it:
gpg --output b.tar --decrypt b.tar.gpg
gpg: CAST5 encrypted data
gpg: [don't know]: invalid packet (ctb=75)
gpg: uncompressing failed: unknown compress algorithm
The resulting file is partially there:
$ ls -alh b.tar
-rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar
Tar seems to think it's valid:
tar tvf bg-s01-s12.tar
drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/
-rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001
Any ideas?
--
Bill Broadley
Computational Science and Engineering
UC Davis
From dshaw at jabberwocky.com Fri Feb 11 01:20:02 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 11 01:16:50 2005
Subject: GPG corruption
In-Reply-To: <20050210222242.GE17353@cse.ucdavis.edu>
References: <20050210222242.GE17353@cse.ucdavis.edu>
Message-ID: <20050211002002.GA1476@jabberwocky.com>
On Thu, Feb 10, 2005 at 02:22:42PM -0800, Bill Broadley wrote:
>
> This is with [root@csebeo v]# gpg --version
> gpg (GnuPG) 1.2.1
>
> I put 12 files into a .tar:
> tar cvzf b.tar bp*
>
> I encrypted them with a symmetric key:
> gpg -c b.tar
>
> The result was fairly large (this is running on an opteron running
> redhat RHEL):
> ls -alh b.tar.gpg
> -rw-r--r-- 1 root root 4.1G Feb 1 23:25 b.tar.gpg
Judging by the file size, I think you've been bitten by a 2gig file
size limit.
GnuPG 1.2.1 is very old. You should upgrade, as that limit was
removed (ironically, only 4 days after 1.2.1 was released).
David
From linux at codehelp.co.uk Fri Feb 11 01:28:54 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Fri Feb 11 01:25:02 2005
Subject: GPG corruption
In-Reply-To: <20050210222242.GE17353@cse.ucdavis.edu>
References: <20050210222242.GE17353@cse.ucdavis.edu>
Message-ID: <200502110028.57734.linux@codehelp.co.uk>
On Thursday 10 February 2005 10:22 pm, Bill Broadley wrote:
> This is with [root@csebeo v]# gpg --version
Why as root????
> gpg (GnuPG) 1.2.1
>
> I put 12 files into a .tar:
> tar cvzf b.tar bp*
If you use -z, you will get a compressed archive - it could be confusing to
give this the name .tar which usually refers to an uncompressed archive:
.tar.gz for -z
>
> The resulting file is partially there:
> $ ls -alh b.tar
> -rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar
>
> Tar seems to think it's valid:
> tar tvf bg-s01-s12.tar
Now you've stopped using -z - what's going on?
> drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/
> -rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001
>
> Any ideas?
Make absolutely sure what you are doing and use names that help others see
what you are doing, also avoid using root whenever possible.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050211/ed1ba78e/attachment.pgp
From wesley.tabadore at gmail.com Fri Feb 11 00:49:43 2005
From: wesley.tabadore at gmail.com (Wesley Tabadore)
Date: Fri Feb 11 01:54:16 2005
Subject: GPG and GroupWise
Message-ID:
Anyone using GPG and GroupWise? I know that there are GroupWise
plug-ins for PGP, but have not been able to locate any info on
GroupWise.
Thanks,
Wes
From sebastian-schubert at gmx.de Fri Feb 11 01:02:08 2005
From: sebastian-schubert at gmx.de (Sebastian Schubert)
Date: Fri Feb 11 01:57:04 2005
Subject: newbie questions
Message-ID: <200502110102.08337.sebastian-schubert@gmx.de>
Hi,
I'm new to gpg and I'm sure you can help me.
I created two main keys (twice --gen-key) and I added a second user ID
to the first one. I can choose which one I take with the -u option. But
how can I choose which user ID of the first main key to take? Do I
always have to change it with "primary"?
I signed a document with the first key and then I decrypted it and gpg
gave me both email addresses (I guess you know the English version):
gpg: Unterschrift vom Fr 11 Feb 2005 00:22:37 CET, DSA Schl?ssel ID
130EAA7E
gpg: Korrekte Unterschrift von "Sebastian Schubert "
gpg: alias "Sebastian Schubert "
So does it make sense to use several user IDs when everybody can see
everything immediately? When I add or delete a user ID, do I have to
get the signs for my key again?
Thanks for helping me
Sebastian
From bill at cse.ucdavis.edu Fri Feb 11 02:23:10 2005
From: bill at cse.ucdavis.edu (Bill Broadley)
Date: Fri Feb 11 02:19:23 2005
Subject: GPG corruption
In-Reply-To: <200502110028.57734.linux@codehelp.co.uk>
References: <20050210222242.GE17353@cse.ucdavis.edu>
<200502110028.57734.linux@codehelp.co.uk>
Message-ID: <20050211012310.GA23953@cse.ucdavis.edu>
On Fri, Feb 11, 2005 at 12:28:54AM +0000, Neil Williams wrote:
> On Thursday 10 February 2005 10:22 pm, Bill Broadley wrote:
> > This is with [root@csebeo v]# gpg --version
>
> Why as root????
Because as a user I didn't have enough space to keep multiple copies
of a 4GB file around for debugging. Fixed.
> > gpg (GnuPG) 1.2.1
> >
> > I put 12 files into a .tar:
> > tar cvzf b.tar bp*
>
> If you use -z, you will get a compressed archive - it could be confusing to
> give this the name .tar which usually refers to an uncompressed archive:
> .tar.gz for -z
Agreed, I'm reconstructing this from my command history, the original
files are gone, er well encrypted. I had tried z, but after realizing I
was getting a significant slow down and zero compression I reran the
command without the z and ended up with just a .tar file.
> > The resulting file is partially there:
> > $ ls -alh b.tar
> > -rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar
> >
> > Tar seems to think it's valid:
> > tar tvf bg-s01-s12.tar
>
> Now you've stopped using -z - what's going on?
Sorry, I pasted the wrong command from my history, the .tar is not
compressed.
> > drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/
> > -rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001
> >
> > Any ideas?
>
> Make absolutely sure what you are doing and use names that help others see
> what you are doing, also avoid using root whenever possible.
I encrypted a tar file using gpg -c, and now when I try to decrypt
I get:
[bill@csebeo v]$ /opt/pkg/gnupg-1.4.0/bin/gpg --output b.tar b.tar.gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: [don't know]: invalid packet (ctb=75)
gpg: uncompressing failed: unknown compress algorithm
gpg: WARNING: message was not integrity protected
[bill@csebeo v]$ ls -alh
total 4.2G
drwxr-xr-x 2 bill root 4.0K Feb 10 16:44 .
drwxr-xr-x 5 bill root 4.0K Feb 8 01:38 ..
-rw-rw-r-- 1 bill bill 103M Feb 10 16:44 b.tar
-rw-r--r-- 1 bill root 4.1G Feb 1 23:25 b.tar.gpg
b.tar seems intact for the first 103MB, and b.tar.gpg seems populated
with random looking binary stuff all the way out to 4.1GB. I.e. it's not
zero filled over the (possible) 2GB limit.
--
Bill Broadley
Computational Science and Engineering
UC Davis
From dshaw at jabberwocky.com Fri Feb 11 02:28:20 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 11 02:24:59 2005
Subject: GPG corruption
In-Reply-To: <20050211012310.GA23953@cse.ucdavis.edu>
References: <20050210222242.GE17353@cse.ucdavis.edu>
<200502110028.57734.linux@codehelp.co.uk>
<20050211012310.GA23953@cse.ucdavis.edu>
Message-ID: <20050211012820.GA1802@jabberwocky.com>
On Thu, Feb 10, 2005 at 05:23:10PM -0800, Bill Broadley wrote:
> b.tar seems intact for the first 103MB, and b.tar.gpg seems populated
> with random looking binary stuff all the way out to 4.1GB. I.e. it's not
> zero filled over the (possible) 2GB limit.
It wouldn't be. It's an encoding bug that was fixed in 1.2.2. The
data is there, it's just not encoded properly so GnuPG won't read it.
David
From dshaw at jabberwocky.com Fri Feb 11 02:11:15 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 11 04:46:45 2005
Subject: [Announce] Attack against OpenPGP encryption
Message-ID: <20050211011115.GD1476@jabberwocky.com>
Skipped content of type multipart/signed-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From dshaw at jabberwocky.com Fri Feb 11 02:00:17 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 11 04:48:51 2005
Subject: [Announce] Attack against OpenPGP encryption
Message-ID: <20050211010017.GC1476@jabberwocky.com>
Skipped content of type multipart/signed-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From kabads at gmail.com Fri Feb 11 08:11:24 2005
From: kabads at gmail.com (Adam Cripps)
Date: Fri Feb 11 08:08:07 2005
Subject: Help with Encryption.
In-Reply-To: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com>
References: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com>
Message-ID:
On Thu, 10 Feb 2005 06:37:09 -0800 (PST), Rhea Felipe
wrote:
> Hi, Im new to GnuPG and email encryption. A friend of
> mind sent me a public key (0x123ABCD5) and he wants me
> to encrypt my emails for him.
>
> How do I do this?
>
> I am using Enigmail with Mozilla Thunderbird Ver. 0.8
>
> thanks.
Have you imported your friend's public key into your keyring? Enigmail
should allow you to do this.
Adam
--
http://www.monkeez.org
PGP key: 0x7111B833
From adam00f at ducksburg.com Fri Feb 11 08:52:20 2005
From: adam00f at ducksburg.com (Adam Funk)
Date: Fri Feb 11 08:48:26 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To:
References:
Message-ID: <200502110752.20696.adam00f@ducksburg.com>
On Friday 11 February 2005 00:21, gnupg-users-request@gnupg.org wrote:
> > Hmm. ?I found all those files in /usr/local/libexec/gnupg/ on my
> > system, but identified a related problem: the /usr/local/libexec
> > and /usr/local/libexec/gnupg directories were not world-executable.
> > "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it.
> > ?Thanks for pointing me in the right direction.
> >
> > Is this a bug in the install?
>
> GnuPG doesn't actually do the install. ?Rather, automake does. ?It
> seems to take your umask into account when doing it through. ?What is
> your umask?
I did the "./configure" and "make" with 0077, then "su", then "make
install" with 0022.
From list at rachinsky.de Fri Feb 11 10:54:56 2005
From: list at rachinsky.de (Nicolas Rachinsky)
Date: Fri Feb 11 10:51:18 2005
Subject: "http" & "finger" keyserver schemes
In-Reply-To: <20050210174155.GA21347@fis.lat>
References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
<20050207131930.GA29857@jabberwocky.com>
<20050210174155.GA21347@fis.lat>
Message-ID: <20050211095456.GA99540@pc5.i.0x5.de>
* ms419@freezone.co.uk [2005-02-10 09:41 -0800]:
> I also tried signing a friend's key, but either key signing doesn't
> include my "sig-keyserver-url", or I'm not correctly verifying the
> signature - "gpg --keyserver-options auto-key-retrieve --list-options
> show-keyserver-urls --check-sigs" doesn't retrieve the key with which I
> signed my friend's key, if it's absent.
>
> More insight?
The option you would need for this would be named cert-keyserver-url.
But according to the manpage it does not exist.
Nicolas
From tv at beamnet.de Fri Feb 11 11:45:02 2005
From: tv at beamnet.de (Thomas Viehmann)
Date: Fri Feb 11 11:41:06 2005
Subject: GnuPG 1.2 encryption key selection with authentication keys
Message-ID: <20050211.Q1P.33669800@phpgroupware.vomhagen.com>
Thanks, David, for the quick answer.
David Shaw (dshaw@jabberwocky.com) wrote:
> > Is there a way to make GnuPG 1.2 prefer the actual encryption key by
> > default?
> Upgrade. This was a bug fixed in GnuPG 1.2.7.
Unfortunately, my own upgrading won't fix the bug on the side of the encryptor
whose preference to use old versions of GnuPG I'm not having much hope of
influincing. Is there anything (short of revoking it) I can do to make the
authentication less attractive to (the broken versions) of GnuPG?
I considered manipulating the encryption key's binding signature to have a
newer date, but my guess is that while this would work locally, I'd probably
run into trouble with the keyservers.
Kind regards
Thomas
From johanw at vulcan.xs4all.nl Fri Feb 11 14:45:07 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri Feb 11 14:41:17 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <20050211010017.GC1476@jabberwocky.com> from David Shaw at "Feb
10, 2005 08:00:17 pm"
Message-ID: <200502111345.OAA00653@vulcan.xs4all.nl>
David Shaw wrote:
>3) It might be effective against an automated process that
> incorporates OpenPGP decryption, if that process returns errors
> back to the sender.
[...]
> attached two patches to this mail. These patches disable a
> portion of the OpenPGP protocol that the attack is exploiting.
So the solution is changing the way that errors are reported back to the
sender in this case?
> These patches will be part of the 1.2.8 and 1.4.1 releases of GnuPG.
Any idea when these versions are about to be released?
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From wk at gnupg.org Fri Feb 11 16:21:07 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 11 16:20:52 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <200502111345.OAA00653@vulcan.xs4all.nl> (Johan Wevers's
message of "Fri, 11 Feb 2005 14:45:07 +0100 (MET)")
References: <200502111345.OAA00653@vulcan.xs4all.nl>
Message-ID: <87ekfnktr0.fsf@wheatstone.g10code.de>
On Fri, 11 Feb 2005 14:45:07 +0100 (MET), Johan Wevers said:
> So the solution is changing the way that errors are reported back to the
> sender in this case?
If you at all need to return an error, make sure that this is just a
boolean without additional error diagnostics. In security this is
considered state of the art.
To hinder oracle attacks, it is general a good design point to delay
the responses or batch them up and send them back at fixed intervals.
> Any idea when these versions are about to be released?
1.4.1rc2 is planned for this weekend but unexpected things kept me
away from working on it. So early next week is more likely.
Given that we think that this is not a serious attack in any current
real world cases, a 1.2.8 won't be released right away.
If there would really be such vulnerable systems, the admins should
for sure be on the watch and must have heard about the attack and
patch gnupg right away. They are for sure aware about such a system
because they need to have a passphrase distribution mechanism
installed and running. The odds of a vulnerable passphrase
distribution process are higher than those of a successful
attack. Recall that this attack won't work with public key encryption.
Shalom-Salam,
Werner
From dshaw at jabberwocky.com Fri Feb 11 17:04:18 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 11 17:01:00 2005
Subject: GnuPG 1.2 encryption key selection with authentication keys
In-Reply-To: <20050211.Q1P.33669800@phpgroupware.vomhagen.com>
References: <20050211.Q1P.33669800@phpgroupware.vomhagen.com>
Message-ID: <20050211160418.GG13140@jabberwocky.com>
On Fri, Feb 11, 2005 at 10:45:02AM +0000, Thomas Viehmann wrote:
> Thanks, David, for the quick answer.
>
> David Shaw (dshaw@jabberwocky.com) wrote:
> > > Is there a way to make GnuPG 1.2 prefer the actual encryption key by
> > > default?
> > Upgrade. This was a bug fixed in GnuPG 1.2.7.
> Unfortunately, my own upgrading won't fix the bug on the side of the encryptor
> whose preference to use old versions of GnuPG I'm not having much hope of
> influincing. Is there anything (short of revoking it) I can do to make the
> authentication less attractive to (the broken versions) of GnuPG?
> I considered manipulating the encryption key's binding signature to have a
> newer date, but my guess is that while this would work locally, I'd probably
> run into trouble with the keyservers.
Unfortunately, manipulating the binding signature by itself won't
work. You'd have to manipulate the date field in the key itself,
since that is what is used to determine which subkey to use. It's
probably easier to revoke that subkey and make a new one which will
also make the encryption key the most recent.
You could also revoke the authentication subkey, but then you couldn't
use it, of course.
Note that PGP (even the latest 8.1) has the same bug. The PGP folks
have been informed and are working on it.
David
From cedar at 3web.net Fri Feb 11 18:18:14 2005
From: cedar at 3web.net (C. D. Rok)
Date: Fri Feb 11 18:15:16 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <200502111345.OAA00653@vulcan.xs4all.nl>
References: <200502111345.OAA00653@vulcan.xs4all.nl>
Message-ID: <420CE8D6.1080106@3web.net>
Johan Wevers wrote:
> So the solution is changing the way that errors are reported back to the
> sender in this case?
It appears to me that the solution is re-exaimnation of the protocol
on a more fundamenatl level. In symetric systems, the correspondent
is never an adversary, while in public key systems the assumption must
be made that the correspondent is *always* also an adversary.
CD Rok
From malte.gell at gmx.de Fri Feb 11 17:23:48 2005
From: malte.gell at gmx.de (Malte Gell)
Date: Fri Feb 11 18:33:39 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <20050211010017.GC1476@jabberwocky.com>
References: <20050211010017.GC1476@jabberwocky.com>
Message-ID: <200502111723.48257.malte.gell@gmx.de>
On Friday 11 February 2005 02:00, David Shaw wrote:
> Last night, Serge Mister and Robert Zuccherato published a paper
> reporting on an attack against OpenPGP symmetric encryption.
> [...]
> There is a very good writeup on the attack that goes into more depth
> at http://www.pgp.com/library/ctocorner/openpgp.html
This is really amazing stuff. I just read their PDF and they make a
suggestion how a new kind of "quick check" could like like: adding the
hash of the symmetric key... I'm not a cryptologist, but this sounds
absolutely crazy, this would mean in the future the security of
symmetric encryption relies not only on the cipher, but on a hash
algorithm... regarding the recent discussions and rumours about hash
algorithms in general, is this really safer!?
Are there several different ideas what the new "quick check" could look
like or is there even already a consesus what it could look like?
Regards
Malte
From wk at gnupg.org Fri Feb 11 19:39:03 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 11 19:35:55 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <420CE8D6.1080106@3web.net> (C. D. Rok's message of "Fri, 11
Feb 2005 17:18:14 +0000")
References: <200502111345.OAA00653@vulcan.xs4all.nl>
<420CE8D6.1080106@3web.net>
Message-ID: <874qgjj60o.fsf@wheatstone.g10code.de>
On Fri, 11 Feb 2005 17:18:14 +0000, C D Rok said:
> on a more fundamenatl level. In symetric systems, the correspondent
> is never an adversary, while in public key systems the assumption must
You forgot about the man in the middle or here even someone who
sniffend the message and replays it. They both would take the same
message and modify it which is what the attack is about.
Werner
From swright at physics.adelaide.edu.au Fri Feb 11 21:20:00 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Fri Feb 11 21:17:04 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp':
Permission denied]
In-Reply-To: <20050210225805.GF29994@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
Message-ID: <20050211202000.GD7710@anl.gov>
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050211/15fadb17/attachment-0001.pgp
From atom at smasher.org Fri Feb 11 22:05:17 2005
From: atom at smasher.org (Atom Smasher)
Date: Fri Feb 11 22:00:24 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <87ekfnktr0.fsf@wheatstone.g10code.de>
References: <200502111345.OAA00653@vulcan.xs4all.nl>
<87ekfnktr0.fsf@wheatstone.g10code.de>
Message-ID: <20050211210412.77468.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
as is obvious by my questions, i don't understand the math.
http://www.pgp.com/library/ctocorner/openpgp.html
Consequently, PGP Corporation, GnuPG, and Hush Communications are
all disabling the quick check for all public key-encrypted
messages and files. However, we are all presently leaving it in
for symmetric (passphrase) encrypted messages and files because we
believe the benefit of the quick check is greater than the
security risk from it. You will see this change in the next
software release from each group.
what about data that is encrypted with both a symmetric and asymmetric
key?
In our discussions with Mister and Zuccherato about their attack,
we asked if they thought we should revise the protocol to address
the problem. They told us they didn't think it was necessary-that
an explanation of the issue and how to avoid it was good enough.
As implementers of OpenPGP systems, however, we think we should
update the protocol. People trust OpenPGP because we handle issues
before they become real-world problems...
how could this "become" a real world problem? is it conceivable that it
might be leveraged into a stronger attack?
We are suggesting in the working group that we amend OpenPGP so
there is a new symmetric encryption system that has a secure quick
check.
like using a strong hash for the quick check? wouldn't that also benefit
symmetric encryption with no significant increase in computational
resources?
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Democracy and capitalism have very different beliefs about
the proper distribution of power. One believes in a
completely equal distribution of political power, 'one man,
one vote', while the other believes that it is the duty of
the economically fit to drive the unfit out of business and
into economic extinction, and inequalities in purchasing
power is what capitalist efficiency is all about. Individuals
and firms become efficient to be rich. To put it in its
starkest form, capitalism is perfectly compatible with
slavery. The American South had such a system for more than
two centuries. Democracy is not compatible with slavery."
-- Lester Thurow, The Future of Capitalism
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCDR4TAAoJEAx/d+cTpVciwaQH/AuJ09RtdT3Ta249w7ap8Btc
SlfsBaDTSGAQ65lZ9T0cD1T72m7uLB7cmqA3RuDPHYA0OtRDiwnZPqbvY2ApUVeg
qzi1FK7d6n2GpTVeqXAmpPqv0w6Ley+dkJTINVnSXEQJd1CluJ1G4ljWCOs4nYbP
HmB/wy0Eyq4M2wGncXnBxAiQ1Ck1iwVZpw4tvb40maI5wrQAK72YRcPjHDx8StM0
KiQp11JlkqXvlhOaayuJap7EHm1yzXQFMaekol9bf+gh1Le9NX0PfxvC2ShxR/R7
qyaaOyi8nmiiWq/FNuWmCkXMl+tXATfQKJns2YZzMFg2OIv8rP/o5TcKzCzrQhY=
=RN9Y
-----END PGP SIGNATURE-----
From atom at smasher.org Fri Feb 11 22:25:43 2005
From: atom at smasher.org (Atom Smasher)
Date: Fri Feb 11 22:20:50 2005
Subject: set-filename / use-embedded-filename
Message-ID: <20050211212440.97270.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
does the embedded file name info only apply to encrypted (and stored)
data, but not signed data? in the rfc (2440:5.9) i don't see where it
shouldn't apply to signed files.
verifying a signed file with "-v" i always see this line:
gpg: original file name=''
even if i use "--set-filename" when creating a signature.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Any society which does not insist upon respect for all
life must necessarily decay."
-- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCDSLcAAoJEAx/d+cTpVciLcMH/3/Gna0AqXQ92QWJQLeItuA+
C+eyhtV9LOH5XUoSjEw/zy426ID3RPiX3pKdT4glGtTetQ5+kCbLE7KWAwRueIDM
GciW9FNodfFbKYGM5K6wQU4pXNAzsOzEX1iAy0+imWg1kLQkRLMar771NQbrWdmX
aftYi4kLuOTElcZNbA2yMt5+cZGGi5Zic8Pz+nEBgUhJLdFx6Hu5VL7+vIlqH6Os
3DDNBTfZ7kfRGZYGSz0bMECq2LnFdXGNNY+rQb3tc+jTxk3LX+GgCWx6gNrQhfg+
5un/aeBBd5TAtM9J1fIRkd9DoS86a4IOA9DhcI+QGv1NnJUq4G/d3ugMX03Jxaw=
=2tzV
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sat Feb 12 02:18:15 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 02:14:56 2005
Subject: [Announce] Attack against OpenPGP encryption
In-Reply-To: <20050211210412.77468.qmail@smasher.org>
References: <200502111345.OAA00653@vulcan.xs4all.nl>
<87ekfnktr0.fsf@wheatstone.g10code.de>
<20050211210412.77468.qmail@smasher.org>
Message-ID: <20050212011815.GB22367@jabberwocky.com>
On Fri, Feb 11, 2005 at 04:05:17PM -0500, Atom Smasher wrote:
> as is obvious by my questions, i don't understand the math.
>
> http://www.pgp.com/library/ctocorner/openpgp.html
>
> Consequently, PGP Corporation, GnuPG, and Hush Communications are
> all disabling the quick check for all public key-encrypted
> messages and files. However, we are all presently leaving it in
> for symmetric (passphrase) encrypted messages and files because we
> believe the benefit of the quick check is greater than the
> security risk from it. You will see this change in the next
> software release from each group.
>
> what about data that is encrypted with both a symmetric and asymmetric
> key?
Even in those cases, the same methodology applies. If the candidate
session key came from an assymmetric decryption, then the check is not
done. If the candidate came from a passphrase mangling or
passphrase-encrypted session key, then the check is done.
> In our discussions with Mister and Zuccherato about their attack,
> we asked if they thought we should revise the protocol to address
> the problem. They told us they didn't think it was necessary-that
> an explanation of the issue and how to avoid it was good enough.
>
> As implementers of OpenPGP systems, however, we think we should
> update the protocol. People trust OpenPGP because we handle issues
> before they become real-world problems...
>
> how could this "become" a real world problem? is it conceivable that it
> might be leveraged into a stronger attack?
Probably not, but once weakness is visible, it's generally good
practice to start moving to something better. Look at MD5 - the first
weakness was shown in 1996, if I recall. It took 8 years to get to
the serious break in 2004, but OpenPGP started migrating away from it
back in 1996, so the break wasn't as big a deal.
> We are suggesting in the working group that we amend OpenPGP so
> there is a new symmetric encryption system that has a secure quick
> check.
>
> like using a strong hash for the quick check? wouldn't that also benefit
> symmetric encryption with no significant increase in computational
> resources?
It wouldn't help or hurt the symmetric encryption. It would just help
in being a quick check.
David
From dshaw at jabberwocky.com Sat Feb 12 02:18:46 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 02:15:39 2005
Subject: set-filename / use-embedded-filename
In-Reply-To: <20050211212440.97270.qmail@smasher.org>
References: <20050211212440.97270.qmail@smasher.org>
Message-ID: <20050212011846.GC22367@jabberwocky.com>
On Fri, Feb 11, 2005 at 04:25:43PM -0500, Atom Smasher wrote:
> does the embedded file name info only apply to encrypted (and stored)
> data, but not signed data? in the rfc (2440:5.9) i don't see where it
> shouldn't apply to signed files.
>
> verifying a signed file with "-v" i always see this line:
> gpg: original file name=''
> even if i use "--set-filename" when creating a signature.
I assume you are talking about --clearsign here. --sign does include
the embedded file name. --clearsign has no filename, so that field is
blank.
David
From atom at smasher.org Sat Feb 12 03:57:10 2005
From: atom at smasher.org (Atom Smasher)
Date: Sat Feb 12 03:52:13 2005
Subject: set-filename / use-embedded-filename
In-Reply-To: <20050212011846.GC22367@jabberwocky.com>
References: <20050211212440.97270.qmail@smasher.org>
<20050212011846.GC22367@jabberwocky.com>
Message-ID: <20050212025603.31896.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 11 Feb 2005, David Shaw wrote:
> I assume you are talking about --clearsign here. --sign does include
> the embedded file name. --clearsign has no filename, so that field is
> blank.
==============
ok... so if the signature is both clear and attached, i guess there's no
need to include the original file name, huh?
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Politics is the art of preventing people from taking part
in affairs which properly concern them."
-- Paul Valery
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCDXCMAAoJEAx/d+cTpVciDMgH/RChkWTl3E8MwtOq86rojhZW
VULuP1JdV1U4uIIlJlNhCWmKvVQAhtBXaRf3/IL0HdtZqK9U5FyhxcR0w0WFV3ty
2bbE3W/Z2RfkOFMkFQP0VzevEbhEJ/cSwqDtgzXob8y351yi+cGr1GiEA+mwD3gq
Wl1vVvqCncmI5Ea108e17b6Ab2E3c5O2zer/Qav1nHKi7VtV67pr5x5xJxYa4FQY
WsVGNAD/wZppZd/NX2U60Lg8SGH//GKoZ8da9oI089hi48gherZafWs3bJRsB/h/
/32K53VsQ8fH2jlBqsFWJKrYGExUUZXI2r2vS0GhTpSydSFiG/9Jr/obExAKKac=
=vDfD
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sat Feb 12 05:25:34 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 05:33:43 2005
Subject: set-filename / use-embedded-filename
In-Reply-To: <20050212025603.31896.qmail@smasher.org>
References: <20050211212440.97270.qmail@smasher.org>
<20050212011846.GC22367@jabberwocky.com>
<20050212025603.31896.qmail@smasher.org>
Message-ID: <20050212042534.GB22456@jabberwocky.com>
On Fri, Feb 11, 2005 at 09:57:10PM -0500, Atom Smasher wrote:
> On Fri, 11 Feb 2005, David Shaw wrote:
>
> > I assume you are talking about --clearsign here. --sign does include
> > the embedded file name. --clearsign has no filename, so that field is
> > blank.
> ==============
>
> ok... so if the signature is both clear and attached, i guess there's no
> need to include the original file name, huh?
It's not meaningful to have a file name there. The idea behind
keeping the original filename around is so you can reconstruct the
original file to its pre-encryption state. In the case of
clearsigning, the clearsigned document *is* the document, so there is
nothing to reconstruct.
David
From dshaw at jabberwocky.com Sat Feb 12 05:52:40 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 05:49:25 2005
Subject: "http" & "finger" keyserver schemes
In-Reply-To: <20050210174155.GA21347@fis.lat>
References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk>
<20050207131930.GA29857@jabberwocky.com>
<20050210174155.GA21347@fis.lat>
Message-ID: <20050212045240.GD22456@jabberwocky.com>
On Thu, Feb 10, 2005 at 09:41:55AM -0800, ms419@freezone.co.uk wrote:
> I added a "sig-keyserver-url" & "keyserver-options auto-key-retrieve" to
> my gpg.conf, & sure enough! verifying data signatures retrieves my
> key from my preferred keyserver, if it's absent -
>
> I also tried signing a friend's key, but either key signing doesn't
> include my "sig-keyserver-url", or I'm not correctly verifying the
> signature - "gpg --keyserver-options auto-key-retrieve --list-options
> show-keyserver-urls --check-sigs" doesn't retrieve the key with which I
> signed my friend's key, if it's absent.
There is no feature to include a keyserver URL inside a key signature.
It's not an impossible thing to do, but there is no support for it
currently.
David
From dshaw at jabberwocky.com Sat Feb 12 06:05:06 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 06:01:50 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050211202000.GD7710@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
Message-ID: <20050212050506.GE22456@jabberwocky.com>
On Fri, Feb 11, 2005 at 02:20:00PM -0600, Stewart V. Wright wrote:
> 1) Removed --libexecdir=%{_libexecdir}/gnupg from the configure
> option. I'm not entirely sure why it still needs to be there for
> the make install, but this is an rpm issue, not an auto{make,conf}
> one.
It looks like it's needed for the make because the RPM macro for
%makeinstall is Being Helpful and overriding the libexecdir variable
back to what it was before we overrode it in the first place.
> 2) Removed the 'rm %{buildroot}%{_infodir}/dir' line. This file is
> not created in the rpm building process, only in the install.
I don't think this is correct. Removing that line causes the rpmbuild
to fail on my system. Do you have the info package installed? That
may be the difference between your box and mine.
Try the attached spec. I think it should work now.
David
-------------- next part --------------
#
# gnupg -- gnu privacy guard
# This is a template. The dist target uses it to create the real file.
#
%define version 1.4.1rc1
%define name gnupg
Summary: GNU Utility for data encryption and digital signatures
Summary(it): Utility GNU per la sicurezza nelle comunicazioni e nell'archiviazione dei dati.
Summary(cs): GNU n?stroj pro ?ifrovanou komunikaci a bezpe?n? ukl?d?n? dat
Summary(fr): Utilitaire GNU de chiffrement et d'authentification des communications et des donn?es
Summary(pl): Narzedzie GNU do szyfrowania i podpisywania danych
Vendor: GNU Privacy Guard Project
Name: %{name}
Version: %{version}
Release: 1
Copyright: GPL
Group: Applications/Cryptography
Group(cs): Aplikace/?ifrov?n?
Group(fr): Applications/Cryptographie
Group(it): Applicazioni/Crittografia
Source: ftp://ftp.gnupg.org/gcrypt/gnupg/%{name}-%{version}.tar.gz
URL: http://www.gnupg.org/
Provides: gpg openpgp
Requires(post,preun): /sbin/install-info
BuildRoot: %{_tmppath}/rpmbuild_%{name}-%{version}
%changelog
* Wed Feb 09 2005 David Shaw
- Fix problem with storing the gpgkeys helpers in libexec, but calling
them in libexec/gnupg.
* Wed Jul 30 2003 David Shaw
- Rework much of the spec to use %-macros throughout.
- Fix to work properly with RPM 4.1 (all files in buildroot must be packaged)
- Package and install info files.
- Tweak the English description.
- There is no need to install gpgv and gpgsplit setuid root.
* Sat Nov 30 2002 David Shaw
- Add convert-from-106 script
* Sat Oct 26 2002 David Shaw
- Use new path for keyserver helpers.
- /usr/lib is no longer used for cipher/hash plugins.
- Include gpgv, gpgsplit, and the new gnupg.7 man page.
* Fri Apr 19 2002 David Shaw
- Removed OPTIONS and pubring.asc - no longer used
- Added doc/samplekeys.asc
* Sun Mar 31 2002 David Shaw
- Added the gpgkeys_xxx keyserver helpers.
- Added a * to catch variations on the basic gpg man page (gpg, gpgv).
- Mark options.skel as a config file.
- Do not include the FAQ/faq.html twice (in /doc/ and /share/).
* Wed Sep 06 2000 Fabio Coatti
- Added Polish description and summary (Kindly provided by
Lukasz Stelmach )
* Thu Jul 13 2000 Fabio Coatti
- Added a * to catch all formats for man pages (plain, gz, bz2...)
* Mon May 01 2000 Fabio Coatti
- Some corrections in French description, thanks to Ga?l Qu?ri
; Some corrections to Italian descriptions.
* Tue Apr 25 2000 Fabio Coatti
- Removed the no longer needed patch for man page by Keith Owens
* Wed Mar 1 2000 Petr Kri?tof
- Czech descriptions added; some fixes and updates.
* Sat Jan 15 2000 Keith Owens
- Add missing man page as separate patch instead of updating the tar file.
* Mon Dec 27 1999 Fabio Coatti
- Upgraded for 1.0.1 (added missing gpg.1 man page)
* Sat May 29 1999 Fabio Coatti
- Some corrections in French description, thanks to Ga?l Qu?ri
* Mon May 17 1999 Fabio Coatti
- Added French description, provided by
Christophe Labouisse
* Thu May 06 1999 Fabio Coatti
- Upgraded for 0.9.6 (removed gpgm)
* Tue Jan 12 1999 Fabio Coatti
- LINGUAS variable is now unset in configure to ensure that all languages will be built. (Thanks to Luca Olivetti )
* Sat Jan 02 1999 Fabio Coatti
- Added pl language file.
- Included g10/pubring.asc in documentation files.
* Sat Dec 19 1998 Fabio Coatti
- Modified the spec file provided by Caskey L. Dickson
- Now it can be built also by non-root. Installation has to be done as
root, gpg is suid.
- Added some changes by Ross Golder
- Updates for version 0.4.5 of GnuPG (.mo files)
%description
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC-2440. Since GnuPG doesn't use any patented
algorithms, it is not compatible with some versions of PGP 2 which use
only the patented IDEA algorithm. See
http://www.gnupg.org/why-not-idea.html for information on using IDEA
if the patent does not apply to you and you need to be compatible with
these versions of PGP 2.
%description -l it
GnuPG (GNU Privacy Guard) ? una utility GNU per la cifratura di dati e
la creazione di firme digitali. Possiede una gestione avanzata delle
chiavi ed ? conforme allo standard Internet OpenPGP, descritto nella
RFC 2440. Non utilizzando algoritmi brevettati, non ? compatibile con
PGP2 (PGP2.x usa solo IDEA, coperto da brevetto mondiale, ed RSA,
brevettato negli USA con scadenza 20/09/2000). Questi algoritmi sono
utilizzabili da GnuPG tramite moduli esterni.
%description -l fr
GnuPG est un utilitaire GNU destin? ? chiffrer des donn?es et ? cr?er
des signatures ?lectroniques. Il a des capacit?s avanc?es de gestion de
cl?s et il est conforme ? la norme propos?e OpenPGP d?crite dans la
RFC2440. Comme GnuPG n'utilise pas d'algorithme brevet?, il n'est
compatible avec aucune version de PGP2 (PGP2.x ne sait utiliser que
l'IDEA brevet? dans le monde entier et RSA, brevet? aux ?tats-Unis
jusqu'au 20 septembre 2000).
%description -l cs
GnuPG je GNU n?stroj pro bezpe?nou komunikaci a ukl?d?n? dat. M??e b?t
pou?it na ?ifrov?n? dat a vytv??en? digit?ln?ch podpis?. Obsahuje
funkce pro pokro?ilou spr?vu kl??? a vyhovuje navrhovan?mu OpenPGP
Internet standardu podle RFC2440. Byl vytvo?en jako kompletn?
n?hrada za PGP. Proto?e neobsahuje ?ifrovac? algoritmy IDEA nebo RSA,
m??e b?t pou??v?n bez omezen?.
Proto?e GnuPG nepou??v? ??dn? patentovan? algoritmus, nem??e b?t ?pln?
kompatibiln? s PGP verze 2. PGP 2.x pou??v? algoritmy IDEA (patentov?no
celosv?tov?) a RSA (patentov?no ve Spojen?ch st?tech do 20. z???
2000). Tyto algoritmy lze zav?st do GnuPG pomoc? extern?ch modul?.
%description -l pl
GnuPG (GNU Privacy Guard) jest nazedziem do szfrowania danych i tworzenia
cyfrowych podpis?w. GnuPG posiada zaawansowane mozliwosci obslugi kluczy
i jest zgodne z OpenPGP, proponowanym standardem internetowym opisanym
w RFC2440. Poniewaz GnuPG nie uzywa zadnych opatentowanych algorytm?w
nie jest wiec zgodne z jaka kolwiek wersja PGP2 (PGP2.x kozysta jedynie
z algorytm?w: IDEA, opatentowanego na calym swiecie, oraz RSA, kt?rego
patent na terenie Stan?w Zjednoczonych wygasa 20 wrzesnia 2000).
%prep
rm -rf $RPM_BUILD_ROOT
%setup
%build
if test -n "$LINGUAS"; then
unset LINGUAS
fi
%configure --program-prefix=%{?_program_prefix:%{_program_prefix}}
make
%install
%makeinstall libexecdir=$RPM_BUILD_ROOT/%{_libexecdir}/gnupg
%find_lang %{name}
rm %{buildroot}%{_datadir}/%{name}/FAQ
rm %{buildroot}%{_datadir}/%{name}/faq.html
rm -f %{buildroot}%{_infodir}/dir
%files -f %{name}.lang
%defattr (-,root,root)
%doc INSTALL AUTHORS COPYING NEWS README THANKS TODO PROJECTS doc/DETAILS
%doc doc/FAQ doc/faq.html doc/HACKING doc/OpenPGP doc/samplekeys.asc
%doc %attr (0755,root,root) tools/convert-from-106
%config %{_datadir}/%{name}/options.skel
%{_mandir}/man1/*
%{_mandir}/man7/*
%{_infodir}/gpg.info*
%{_infodir}/gpgv.info*
%attr (4755,root,root) %{_bindir}/gpg
%attr (0755,root,root) %{_bindir}/gpgv
%attr (0755,root,root) %{_bindir}/gpgsplit
%attr (0755,root,root) %{_libexecdir}/gnupg/*
%post
/sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || :
/sbin/install-info %{_infodir}/gpgv.info %{_infodir}/dir 2>/dev/null || :
%preun
if [ $1 = 0 ]; then
/sbin/install-info --delete %{_infodir}/gpg.info \
%{_infodir}/dir 2>/dev/null || :
/sbin/install-info --delete %{_infodir}/gpgv.info \
%{_infodir}/dir 2>/dev/null || :
fi
%clean
rm -rf $RPM_BUILD_ROOT
rm -rf $RPM_BUILD_DIR/%{name}-%{version}
From dshaw at jabberwocky.com Sat Feb 12 06:07:48 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat Feb 12 06:04:39 2005
Subject: unable to execute program `gpgkeys_hkp': Permission denied
In-Reply-To: <200502110752.20696.adam00f@ducksburg.com>
References:
<200502110752.20696.adam00f@ducksburg.com>
Message-ID: <20050212050748.GF22456@jabberwocky.com>
On Fri, Feb 11, 2005 at 07:52:20AM +0000, Adam Funk wrote:
> On Friday 11 February 2005 00:21, gnupg-users-request@gnupg.org wrote:
> > > Hmm. ?I found all those files in /usr/local/libexec/gnupg/ on my
> > > system, but identified a related problem: the /usr/local/libexec
> > > and /usr/local/libexec/gnupg directories were not world-executable.
> > > "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it.
> > > ?Thanks for pointing me in the right direction.
> > >
> > > Is this a bug in the install?
> >
> > GnuPG doesn't actually do the install. ?Rather, automake does. ?It
> > seems to take your umask into account when doing it through. ?What is
> > your umask?
>
> I did the "./configure" and "make" with 0077, then "su", then "make
> install" with 0022.
That looks sane to me. I don't know. I've never seen this particular
problem before. If you do the install over again, does the same thing
happen?
David
From wesley.tabadore at gmail.com Sat Feb 12 23:26:57 2005
From: wesley.tabadore at gmail.com (Wesley Tabadore)
Date: Sat Feb 12 23:23:16 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To: <20050210062842.87663.qmail@smasher.org>
References: <200502080135.CAA00593@vulcan.xs4all.nl>
<20050208195036.79982.qmail@smasher.org>
<20050210062842.87663.qmail@smasher.org>
Message-ID:
> right. when you select (1) and generate a DSA/elgamal key, you're creating
> a DSA primary (signing) key with an elgamal (encryption) subkey.
>
> if you generate an RSA key you have to add subkeys after the primary is
> generated.
If when I create the RSA key I set the capabilities to both Sign and
Encrypt, do I still need to add subkeys after creating the RSA key?
What are the benefits if any?
I tried using the key to both sign and encrypt and it seems to work.
Thanks,
Wes
On Thu, 10 Feb 2005 01:29:37 -0500 (EST), Atom Smasher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Wed, 9 Feb 2005, Wesley Tabadore wrote:
>
> > When generating keys, these are the only options:
> >
> > (1) DSA and Elgamal (default)
> > (2) DSA (sign only)
> > (5) RSA (sign only)
> >
> > However, using the --expert switch, additional options are available as well:
> >
> > (3) DSA (set your own capabilities)
> > (7) RSA (set your own capabilities)
> >
> > If I chose #7 (RSA), I can choose whether to set the "capabilities of
> > the key as any or all of: Sign Encrypt Authenticate.
> >
> > First, why is this considered an "expert" option? Second,
> > Authenticate is off by default when I chose #7, what is the
> > Authenticate flag used for and is there a specific reason it is off by
> > default? Is an RSA key considered to be any more secure than a DSA
> > key?
> ===============
>
> these are mostly questions for dave & werner. i think the expert options
> are hidden because most people never use/need them, and hiding them makes
> it easier for noobs who will use the defaults anyway.
>
> the authenticate capability is new, and isn't really used anywhere that i
> know of. one of the things that it may be used for in the future is SSH
> authentication.
>
> it is generally considered that DSA (and elgamal) has "more security per
> bit" than RSA, but not by a considerable margin. between a 1024 bit RSA
> key and a 1024 bit DSA key, they're both just as hard to break (for all
> practical purposes). so, since DSA is limited to 1024 bits and RSA
> isn't... well, do the math...
>
>
> > Lastly, when I issue a --list-keys command, after generating an RSA
> > key (using --expert), I see the following:
> >
> > pub 4096R/D0915403 2005-02-09
> > uid Wesley Tabadore
> >
> > However, after generating a DSA and Elgamal key, and then issuing the
> > --list-keys command, I get:
> >
> > pub 1024D/A4FD0FD9 2005-02-03
> > uid Wesley Tabadore
> > sub 2048g/715F1580 2005-02-03
> >
> > There appears to be an extra key (sub). Am I right in thiking that
> > the 1024-bit key above is for signing and the 2048-bit key is for
> > encryption? If not, what are they for?
> ================
>
> right. when you select (1) and generate a DSA/elgamal key, you're creating
> a DSA primary (signing) key with an elgamal (encryption) subkey.
>
> if you generate an RSA key you have to add subkeys after the primary is
> generated.
>
> you can use "pgpdump" to look inside a key and see what it's made of. that
> helped me greatly in understanding how this all works.
>
> - --
> ...atom
>
> _________________________________________
> PGP key - http://atom.smasher.org/pgp.txt
> 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
> -------------------------------------------------
>
> "Men occasionally stumble over the truth,
> but most of them pick themselves up and
> hurry off as if nothing had happened."
> -- Winston Churchill
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (FreeBSD)
> Comment: What is this gibberish?
> Comment: http://atom.smasher.org/links/#digital_signatures
>
> iQEcBAEBCAAGBQJCCv9WAAoJEAx/d+cTpVcic1kH/2NF9Vdemrc8WIJ9FXLkniGP
> EQbtS8qPAdjiHaxY5MxfhG1VptMtgwC8KsapvLfp9ezbaYOLBIHcUrmhmpNm0ExZ
> floseIiSPZ1UEJE2dbC3IpsvMQzVKs5kzw5fPi3Vm3oPxKnIQlO0K1E6lhERn/nC
> iUNTmojLH/KY/GZlhnZiBWrgggvqebTcizn1OBaiSrimwSzyAlYpWOKUCQGWh/6n
> Q1WGrGSWbPcayit5ZPli+doNHi5VWuGT3yJ3Y1Xtgpd+OE28xhAMyj9H1a7S2HxY
> kFZ8tbDJuV0tLmtx3euPg02Qu6KtNiA0rEbrm4zG4SNo/U16rSwOv1xqcHo65C0=
> =GSSv
> -----END PGP SIGNATURE-----
>
From atom at smasher.org Sat Feb 12 23:49:18 2005
From: atom at smasher.org (Atom Smasher)
Date: Sat Feb 12 23:44:15 2005
Subject: Strongest Key, Hash, and Cypher Algorithms
In-Reply-To:
References: <200502080135.CAA00593@vulcan.xs4all.nl>
<20050208195036.79982.qmail@smasher.org>
<20050210062842.87663.qmail@smasher.org>
Message-ID: <20050212224807.16310.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, 12 Feb 2005, Wesley Tabadore wrote:
> If when I create the RSA key I set the capabilities to both Sign and
> Encrypt, do I still need to add subkeys after creating the RSA key? What
> are the benefits if any?
>
> I tried using the key to both sign and encrypt and it seems to work.
======================
there's nothing wrong with having all capabilities set in the primary key,
but it's generally advisable to have an encryption subkey and possibly a
signing subkey (and authentication subkey?).
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"That's hard to tell. I think that, you know, I would hope
to be able to convince people I could handle the Iraqi
situation better."
Bush-Gore debate, 11 Oct 2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCDof1AAoJEAx/d+cTpVciHV8H/RDygtQ4U7wg1aL8J/0n6RjP
yEf5vi7gk2mmZ8oCdpJUe6bQ0zKO8SFg2XY9elHA7ztC5Jlq2vObk83/316hSWhE
G6oLIC3HXbUTZaNFzBH7/A6uH/DVOExyxhOB6JcgQbkthLyiNAxCzo9V4smZRfMT
r/TV+V7YfYol4cLVJiEh3vK79uYpbXHyUjhdkieHRJymMHKaI4MUV5iy6QniJ3lK
yZl00GFISbU2WLoc/HWsuik62sIytZU8U8iEBP0F/RMvlCAsSm2ZcgXbD1H847eF
Jb2Hkq8zC4ngdUxUbI7pIQx1F6hp+JYoszc9DIcx6/bDcD0e/6wQRqi0OLSFlXY=
=r+lv
-----END PGP SIGNATURE-----
From federicotg at gmail.com Sun Feb 13 01:04:24 2005
From: federicotg at gmail.com (Federico Tello Gentile)
Date: Sun Feb 13 01:59:32 2005
Subject: Question regarding user identification withing the keyrring
Message-ID: <420E9988.4060909@gmail.com>
Hi.
I am writting a tool to help distribute files securely using
cryptography and I am basing my ideas on PGP (in fact its web of trust
model).
I have a doubt regarding how does such a tool (GPG, PGP) identify users
when it has to pick up a public key from the keyrring to verify a signature.
Does the signed message provide the signer's public key along with its
name and email? Does the system look for the email and name in the
reciever's keyring and try to verify the signature with one that matches?
I have to decide what information would I use for matching a signed
document with a user's certificate, should I use the public key or the
email?
I know X.509 certificates have a unique Id per certificate issued, but
that is because there is a central CA issueing all certs., which is not
the case when using GPG.
I know this is not related to GPG particularly, but I thought maybe some
of you may help me.
I hope you understand my question.
Thanks you and sorry for bothering you.
From federicotg at gmail.com Sun Feb 13 16:39:16 2005
From: federicotg at gmail.com (Federico Tello Gentile)
Date: Sun Feb 13 16:34:44 2005
Subject: Question regarding user identification withing the keyrring
In-Reply-To: <200502131052.15836.linux@codehelp.co.uk>
References: <420E9988.4060909@gmail.com>
<200502131052.15836.linux@codehelp.co.uk>
Message-ID: <420F74A4.1090107@gmail.com>
Neil Williams wrote:
>The fingerprint of any OpenPGP key is unique.
>
>
>
Thanks, you have clarified this to me. However isn't there a very small
chance (of course negligible) that 2 users will generate the same
keypair? After all a key is just a computer generated number and each
key is independently generated by each user.
Anyway, now know I have to use the public key as the keyID or a hash of
it, thanks.
From erwan at rail.eu.org Sun Feb 13 16:51:55 2005
From: erwan at rail.eu.org (Erwan David)
Date: Sun Feb 13 16:48:15 2005
Subject: Question regarding user identification withing the keyrring
In-Reply-To: <420F74A4.1090107@gmail.com>
References: <420E9988.4060909@gmail.com>
<200502131052.15836.linux@codehelp.co.uk>
<420F74A4.1090107@gmail.com>
Message-ID: <20050213155155.GA28296@nez-casse.depot.rail.eu.org>
Le Sun 13/02/2005, Federico Tello Gentile disait
> Neil Williams wrote:
>
> >The fingerprint of any OpenPGP key is unique.
> >
> >
> >
> Thanks, you have clarified this to me. However isn't there a very small
> chance (of course negligible) that 2 users will generate the same
> keypair? After all a key is just a computer generated number and each
> key is independently generated by each user.
There is also a small chance a cosmic ray will change one bit inside
the processor during the calculation. If I remember the probability is
higher for the cosmic ray.
--
Erwan
From wk at gnupg.org Sun Feb 13 17:24:59 2005
From: wk at gnupg.org (Werner Koch)
Date: Sun Feb 13 17:21:04 2005
Subject: Question regarding user identification withing the keyrring
In-Reply-To: <420E9988.4060909@gmail.com> (Federico Tello Gentile's message
of "Sat, 12 Feb 2005 21:04:24 -0300")
References: <420E9988.4060909@gmail.com>
Message-ID: <877jlcig10.fsf@wheatstone.g10code.de>
On Sat, 12 Feb 2005 21:04:24 -0300, Federico Tello Gentile said:
> Does the signed message provide the signer's public key along with its
> name and email? Does the system look for the email and name in the
No, you need to get the public key from elsewhere (usually a
keyserver). The key for signature verification is looked up by the keyid.
> I have to decide what information would I use for matching a signed
> document with a user's certificate, should I use the public key or the
> email?
Use the fingerprint
> I know X.509 certificates have a unique Id per certificate issued,
> but
Which is not always unique as some CA issues new certificates using
the same serial number.
Shalom-Salam,
Werner
From swright at physics.adelaide.edu.au Sun Feb 13 17:25:58 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Sun Feb 13 17:22:42 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050212050506.GE22456@jabberwocky.com>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
<20050212050506.GE22456@jabberwocky.com>
Message-ID: <20050213162558.GA5569@anl.gov>
G'day David,
* David Shaw [050211 23:10]:
> On Fri, Feb 11, 2005 at 02:20:00PM -0600, Stewart V. Wright wrote:
>
> > 1) Removed --libexecdir=%{_libexecdir}/gnupg from the configure
> > option. I'm not entirely sure why it still needs to be there for
> > the make install, but this is an rpm issue, not an auto{make,conf}
> > one.
>
> It looks like it's needed for the make because the RPM macro for
> %makeinstall is Being Helpful and overriding the libexecdir variable
> back to what it was before we overrode it in the first place.
That's the impression I got.
> > 2) Removed the 'rm %{buildroot}%{_infodir}/dir' line. This file is
> > not created in the rpm building process, only in the install.
>
> I don't think this is correct. Removing that line causes the rpmbuild
> to fail on my system. Do you have the info package installed? That
> may be the difference between your box and mine.
I do have info installed. I checked that info was working with the
previous attempt at an spec file.
> Try the attached spec. I think it should work now.
Yup. I guess I should have RTFM for rm and just gone with the -f
flag... Good catch!
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050213/e37c3b27/attachment.pgp
From cripto at ecn.org Fri Feb 11 14:42:05 2005
From: cripto at ecn.org (Anonymous)
Date: Mon Feb 14 11:04:26 2005
Subject: anything like a --target-directory option?
Message-ID: <2f44eb39c78c6e5ce9574a39d83734d5@ecn.org>
`gpg path/to/foo.gpg` decrypts to path/to/foo
`gpg -d path/to/foo.gpg >target/path/foo` decrypts to the specified
destination
`gpg --multifile path/to/foo1.gpg path/to/foo2.gpg ...` puts all the
decrypted files in path/to/
Is there any way to "bulk-decrypt" a bunch of files to one specified
target directory?
Thanks.
From mconahan at iotest.org Mon Feb 14 18:09:57 2005
From: mconahan at iotest.org (mconahan@iotest.org)
Date: Mon Feb 14 18:06:08 2005
Subject: How to encrypt attachments in MIME using inline-PGP
Message-ID: <4210DB65.1070001@iotest.org>
Hi everyone,
If a PGP recipient is using an application that only accepts
inline-PGP, how do I contruct the MIME so that I can send attachments.
I realize that Enigmail (as do some other apps) does it for you, but I
was wondering if anyone knows what the general process is for handling
attachments in inline-PGP?
Michael
From atom at smasher.org Mon Feb 14 18:19:23 2005
From: atom at smasher.org (Atom Smasher)
Date: Mon Feb 14 18:14:22 2005
Subject: How to encrypt attachments in MIME using inline-PGP
In-Reply-To: <4210DB65.1070001@iotest.org>
References: <4210DB65.1070001@iotest.org>
Message-ID: <20050214171800.55417.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 14 Feb 2005, mconahan@iotest.org wrote:
> If a PGP recipient is using an application that only accepts
> inline-PGP, how do I contruct the MIME so that I can send attachments.
> I realize that Enigmail (as do some other apps) does it for you, but I
> was wondering if anyone knows what the general process is for handling
> attachments in inline-PGP?
=====================
encrypt the file(s) you want to attach attach. then attach the encrypted
file(s).
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Don't fight it son. Confess quickly!
If you hold out too long you could
jeopardize your credit rating."
-- Brazil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCEN2hAAoJEAx/d+cTpVcislEH/3NopAsLFHGRbxtc2uWQ6fZh
SrNAQAFag9l2MHGOrjbSbGHVZjsQwTSAyidPQvcvks2NY+wGz6h0xNqg4/UMDcsL
ulldVNif2T73lCWVW6qQdrkBj5Z9YbOkWSMRdVrmFk1JPZ2BlwxMvXIerR/lChKz
DnSW6sVpQyUZ3gW2Yb5QoKayF/u9bj3kaPIY6Vj5aeMFr5fC6maE8u+dZwF8ByR7
M53350NA+DP3fupoKYYjgDDKY7l6zWnSUX99N5jdQ8GngHW7qru/YjJAcKsqbJqn
GDTcNKDCwrPTc7TZSlj+hnnCapnLGkzZhGU+N+wSicTwnvtoC2x6ICUf/CaF/ms=
=xk+p
-----END PGP SIGNATURE-----
From Freedom_Lover at pobox.com Mon Feb 14 22:08:00 2005
From: Freedom_Lover at pobox.com (Todd)
Date: Mon Feb 14 22:04:49 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050212050506.GE22456@jabberwocky.com>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
<20050212050506.GE22456@jabberwocky.com>
Message-ID: <20050214210800.GR4175@psilocybe.teonanacatl.org>
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 318 bytes
Desc: not available
Url : /pipermail/attachments/20050214/b1a2fa86/attachment.pgp
From bastien.laporte-riou at medincell.com Tue Feb 15 17:10:17 2005
From: bastien.laporte-riou at medincell.com (Bastien Laporte-Riou)
Date: Tue Feb 15 17:05:29 2005
Subject: Backup with encryption
Message-ID: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
Hello,
I work actually on a system of backup on my server and to secure my data i
encrypt it with gnupg. But i have a problem, actually i have export my
public key and i don't know how to export my secret-key because if i have a
crash on my server all my data could not be decryt because i haven't the
secret key i have made a test. Then my question how can i made a backup ok
my secret-key to decrypt my data before a crash?
Thanks for your answer.
Excuse my english i am french.
Best Regards.
--
___________________________
Medincell
Bastien Laporte-Riou
Email : bastien.laporte-riou@medincell.com
Web : http://www.medincell.com
Sent date : 02.15.2005
___________________________
Disclaimer - This email and any files transmitted with it are confidential
and contain privileged or copyright information. You must not present this
message to another party without gaining permission from the sender. If you
are not the intended recipient you must not copy, distribute or use this
email or the information contained in it for any purpose other than to
notify us. If you have received this message in error, please notify the
sender immediately, and delete this email from your system. We do not
guarantee that this material is free from viruses or any other defects
although due care has been taken to minimise the risk. Any views expressed
in this message are those of the individual sender, except where the sender
specifically states them to be the views of Medincell.
From mail at renelemme.de Tue Feb 15 18:40:59 2005
From: mail at renelemme.de (=?iso-8859-1?q?Ren=E9_Lemme?=)
Date: Tue Feb 15 19:28:51 2005
Subject: Changing passphrase
Message-ID: <200502151841.06753.mail@renelemme.de>
Hello group,
what would happen if I would change the passphrase of my sec-key but keep a
copy of the sec-key with the old passphrase? Could both sec-key files on
different pc's be used?
Regards,
_rene
--
GnupPG Key-ID: 0xBFCC946E
download @ www.renelemme.de
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050215/e7f86752/attachment.pgp
From mconahan at zixtestott.com Tue Feb 15 19:41:51 2005
From: mconahan at zixtestott.com (mconahan@zixtestott.com)
Date: Tue Feb 15 20:35:21 2005
Subject: Backup with encryption
In-Reply-To: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
Message-ID: <4212426F.4040906@zixtestott.com>
Bastien Laporte-Riou wrote:
>Hello,
>
> I work actually on a system of backup on my server and to secure my data i
>encrypt it with gnupg. But i have a problem, actually i have export my
>public key and i don't know how to export my secret-key because if i have a
>crash on my server all my data could not be decryt because i haven't the
>secret key i have made a test. Then my question how can i made a backup ok
>my secret-key to decrypt my data before a crash?
>
>Thanks for your answer.
>
>Excuse my english i am french.
>
>Best Regards.
>--
>
>
I recommend backing up your public and private keyring files
"pubring.gpg" and "secring.gpg" located in your gpg home directory. If
your server crashes, simply obain gpg, install, and place your keyring
backup files in the gpg home directory, and everything should be cool.
From linux at codehelp.co.uk Tue Feb 15 21:00:13 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Tue Feb 15 20:56:14 2005
Subject: Changing passphrase
In-Reply-To: <200502151841.06753.mail@renelemme.de>
References: <200502151841.06753.mail@renelemme.de>
Message-ID: <200502152000.15805.linux@codehelp.co.uk>
On Tuesday 15 February 2005 5:40 pm, Ren? Lemme wrote:
> Hello group,
>
> what would happen if I would change the passphrase of my sec-key but keep a
> copy of the sec-key with the old passphrase? Could both sec-key files on
> different pc's be used?
Provided you remember which passphrase is which, yes. Either key can be used
to decrypt messages sent to the public key or to make signatures with the one
key.
But, why not just have two keys?
Having two passphrases is no more secure because you can do everything with
either passphrase, all you need is the right passphrase - so no change there.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050215/38e7ec28/attachment.pgp
From mail at renelemme.de Tue Feb 15 21:18:48 2005
From: mail at renelemme.de (=?utf-8?q?Ren=C3=A9_Lemme?=)
Date: Tue Feb 15 21:14:46 2005
Subject: Changing passphrase
In-Reply-To: <200502152000.15805.linux@codehelp.co.uk>
References: <200502151841.06753.mail@renelemme.de>
<200502152000.15805.linux@codehelp.co.uk>
Message-ID: <200502152118.57669.mail@renelemme.de>
Am Dienstag, 15. Februar 2005 21:00 schrieb Neil Williams:
> On Tuesday 15 February 2005 5:40 pm, Ren? Lemme wrote:
> > Hello group,
> >
> > what would happen if I would change the passphrase of my sec-key but keep
> > a copy of the sec-key with the old passphrase? Could both sec-key files
> > on different pc's be used?
>
> Provided you remember which passphrase is which, yes. Either key can be
> used to decrypt messages sent to the public key or to make signatures with
> the one key.
>
> But, why not just have two keys?
>
> Having two passphrases is no more secure because you can do everything with
> either passphrase, all you need is the right passphrase - so no change
> there.
Thanks for the answer. Was just wondering if I had to change the passphrase on
different pc's at the same time or if I could still use the key with
different passphrases before synching them.
_rene
--
GnupPG Key-ID: 0xBFCC946E
download @ www.renelemme.de
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050215/814875f8/attachment.pgp
From linux at codehelp.co.uk Tue Feb 15 22:10:31 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Tue Feb 15 22:06:28 2005
Subject: Changing passphrase
In-Reply-To: <200502152118.57669.mail@renelemme.de>
References: <200502151841.06753.mail@renelemme.de>
<200502152000.15805.linux@codehelp.co.uk>
<200502152118.57669.mail@renelemme.de>
Message-ID: <200502152110.31903.linux@codehelp.co.uk>
On Tuesday 15 February 2005 8:18 pm, Ren? Lemme wrote:
> Thanks for the answer. Was just wondering if I had to change the passphrase
> on different pc's at the same time or if I could still use the key with
> different passphrases before synching them.
There is actually no need to synchronise secret keys, once exported, the copy
remains valid and doesn't ever need to know about the 'original'.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050215/3734311b/attachment-0001.pgp
From greg at turnstep.com Wed Feb 16 05:14:09 2005
From: greg at turnstep.com (Greg Sabino Mullane)
Date: Wed Feb 16 06:10:58 2005
Subject: Backup with encryption
In-Reply-To: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
Message-ID: <21f9090dfefa95355b0be4e8a3dcc357@biglumber.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I work actually on a system of backup on my server and to secure my data i
> encrypt it with gnupg. But i have a problem, actually i have export my
> public key and i don't know how to export my secret-key because if i have a
> crash on my server all my data could not be decryt because i haven't the
> secret key i have made a test. Then my question how can i made a backup ok
> my secret-key to decrypt my data before a crash?
You could also use plain-old symmetric encryption:
gpg -ca yourfile
(the "a" is optional but makes the files easy to recognize and send through
email)
The only thing you have to worry about then is forgetting the password.
- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200502152313
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
iD8DBQFCEsjsvJuQZxSWSsgRAqIaAJ9Z1CnI+OtxxyKEtc/cjgj1Lj+pSgCgiz3a
RlpFvtf4gpkirWUAHgE5zFw=
=bvka
-----END PGP SIGNATURE-----
From erpo41 at hotpop.com Wed Feb 16 09:48:29 2005
From: erpo41 at hotpop.com (Eric Anopolsky)
Date: Wed Feb 16 09:44:00 2005
Subject: SHA1 broken?
Message-ID: <1108543709.5827.1.camel@localhost.localdomain>
http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218
Does anyone know anything about this?
From pt at radvis.nu Wed Feb 16 09:42:56 2005
From: pt at radvis.nu (pt@radvis.nu)
Date: Wed Feb 16 09:51:10 2005
Subject: How to display fingerprint for secret key
Message-ID: <1108543376.26203@ns1.softit.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I did some testing and ended up with two secret keys with the same (short)
keyid. Is there any way to display a long keyid or the whole fingerprint?
Yours,
Per Tunedal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32) - WinPT 0.7.96
Comment: Vad är en pgp-signatur? www.clipanish.com/PGP/pgp.html
iD8DBQFCEwtApPsTvNtsBX8RAouOAKCAT8dSqKUt1msx+IVZ+5s1+Eae4gCbBPjd
35iCFJ2jgSOK6+dZBLUi0sU=
=XRS3
-----END PGP SIGNATURE-----
_________________________________________________
Detta meddelande skickades från SoftIT - Webmail
http://www.softit.se
From mads at warhead.org.uk Wed Feb 16 14:13:43 2005
From: mads at warhead.org.uk (Mads Munch Hansen)
Date: Wed Feb 16 14:19:45 2005
Subject: Backup with encryption
In-Reply-To: <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com>
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
<21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com>
Message-ID:
Greg Sabino Mullane wrote:
>
>
>>>I work actually on a system of backup on my server and to secure my data i
>>>encrypt it with gnupg. But i have a problem, actually i have export my
>>>public key and i don't know how to export my secret-key because if i have a
>>>crash on my server all my data could not be decryt because i haven't the
>>>secret key i have made a test. Then my question how can i made a backup ok
>>>my secret-key to decrypt my data before a crash?
>
>
> You could also use plain-old symmetric encryption:
>
> gpg -ca yourfile
>
> (the "a" is optional but makes the files easy to recognize and send through
> email)
>
> The only thing you have to worry about then is forgetting the password.
>
> --
> Greg Sabino Mullane greg@turnstep.com
> PGP Key: 0x14964AC8 200502152313
> http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
That would mean he would have to input a passphrase everytime he does a
backups, or make a script that does it for him, which could be a
potential security risk. By using a public key, the backups can be done
unatended with no risk of passphrase being compromised if the script(s)
are. (it would be a good idea nontheless to keep the secret key on
another system though)
Regards
Mads
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050216/73e2f263/signature.pgp
From dshaw at jabberwocky.com Wed Feb 16 15:44:19 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 15:40:59 2005
Subject: SHA1 broken?
In-Reply-To: <1108543709.5827.1.camel@localhost.localdomain>
References: <1108543709.5827.1.camel@localhost.localdomain>
Message-ID: <20050216144419.GC21336@jabberwocky.com>
On Wed, Feb 16, 2005 at 12:48:29AM -0800, Eric Anopolsky wrote:
> http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218
>
> Does anyone know anything about this?
The paper has not been published yet, but the information released
thus far indicates the team was able to find a collision in SHA-1 in
2^69 operations. Since SHA-1 should have been resistant to collision
to 2^80 operations, this is a very impressive attack. Incidentally,
this is same team that was behind the successful attack on MD5.
However, in the real world this doesn't seem like a very useful
attack. It's rather like someone pointing out that the 100 foot high
wall around your house is only 50 feet high. True, the wall is not as
tell as claimed, but it's still probably taller than it needs to be.
To put this in perspective, the "broken" SHA-1 is stronger than MD5
was thought to be before the MD5 breaks were discovered (MD5 was
2^64).
Still, I'm speculating based on the little information that has been
released. Nobody really knows all the details yet since the paper
hasn't been published. It is not yet known if the attack can be
extended to the SHA-2 hashes (SHA-256, SHA-384, and SHA-512). Even if
it can be extended, the sheer length of the SHA-2 hashes may render
the attack moot in practical terms... or it might not. We just don't
know yet.
In terms of GnuPG: it's up to you whether you want to switch hashes or
not. GnuPG supports all of the SHA-2 hashes, so they are at least
available. Be careful you don't run up against compatibility
problems: PGP doesn't support 384 or 512, and only recently started
supporting 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of
the new hashes. Finally, if you have a DSA signing key (most people
do) you are required to use either SHA-1 or RIPEMD/160. RSA signing
keys can use any hash.
David
From dshaw at jabberwocky.com Wed Feb 16 15:45:35 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 15:42:24 2005
Subject: How to display fingerprint for secret key
In-Reply-To: <1108543376.26203@ns1.softit.net>
References: <1108543376.26203@ns1.softit.net>
Message-ID: <20050216144535.GD21336@jabberwocky.com>
On Wed, Feb 16, 2005 at 09:42:56AM +0100, pt@radvis.nu wrote:
> Hi,
> I did some testing and ended up with two secret keys with the same (short)
> keyid. Is there any way to display a long keyid or the whole fingerprint?
gpg --keyid-format long --list-secret-keys
gpg --fingerprint --list-secret-keys
David
From dlc at sevenroot.org Wed Feb 16 15:13:44 2005
From: dlc at sevenroot.org (Darren Chamberlain)
Date: Wed Feb 16 16:07:31 2005
Subject: SHA1 broken?
In-Reply-To: <1108543709.5827.1.camel@localhost.localdomain>
References: <1108543709.5827.1.camel@localhost.localdomain>
Message-ID: <20050216141344.GA31989@boston.com>
* Eric Anopolsky [2005/02/16 00:48]:
> http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218
>
> Does anyone know anything about this?
Bruce Schneier thinks it's probably be true
():
SHA-1 has been broken. Not a reduced-round version. Not a simplified
version. The real thing.
...
The paper isn't generally available yet. At this point I can't tell
if the attack is real, but the paper looks good and this is a
reputable research team.
So this would be when we start putting:
digest-algo RIPEMD160
in our gpg.conf, right?
(darren)
--
The tools we use have a profound (and devious!) influence on our
thinking habits, and, therefore, on our thinking abilities.
-- Edsger W. Dijkstra
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : /pipermail/attachments/20050216/61a2411d/attachment.pgp
From vedaal at hush.com Wed Feb 16 16:22:25 2005
From: vedaal at hush.com (vedaal@hush.com)
Date: Wed Feb 16 16:18:34 2005
Subject: sha-1
Message-ID: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com>
if sha-1 does turn out to be as weak/broken as md-5,
then,
would it be possible for the owner of a key
to somehow amend an already existing keypair,
to change or add to the self-signature
with a different trusted hash algorithm ?
vedaal
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
From dshaw at jabberwocky.com Wed Feb 16 16:33:30 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 16:30:11 2005
Subject: sha-1
In-Reply-To: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com>
References: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com>
Message-ID: <20050216153330.GG21336@jabberwocky.com>
On Wed, Feb 16, 2005 at 07:22:25AM -0800, vedaal@hush.com wrote:
> if sha-1 does turn out to be as weak/broken as md-5,
>
> then,
> would it be possible for the owner of a key
> to somehow amend an already existing keypair,
>
> to change or add to the self-signature
> with a different trusted hash algorithm ?
For user IDs, that's easy and you can do that now. Just delete your
self-sig and re-sign the UID. For subkey self-signatures, you can
theoretically do it, but it's probably not worth it. Just revoke the
old subkey and make a new one with whatever hash algorithm you like.
Be careful though - remember that not all OpenPGP implementations
support all hashes. You can easily make your key unusable by some
people. The nice thing about SHA-1 is that it is required by the
protocol so it always works.
David
From johanw at vulcan.xs4all.nl Wed Feb 16 16:32:03 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed Feb 16 16:51:40 2005
Subject: SHA1 broken?
In-Reply-To: <20050216141344.GA31989@boston.com> from Darren Chamberlain at
"Feb 16, 2005 09:13:44 am"
Message-ID: <200502161532.QAA01474@vulcan.xs4all.nl>
Darren Chamberlain wrote:
>So this would be when we start putting:
> digest-algo RIPEMD160
>in our gpg.conf, right?
How about SHA-256 and 512? Are they based on SHA-1? And how about
getting Tiger-192 back?
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From dlc at sevenroot.org Wed Feb 16 16:56:57 2005
From: dlc at sevenroot.org (Darren Chamberlain)
Date: Wed Feb 16 16:57:44 2005
Subject: SHA1 broken?
In-Reply-To: <200502161532.QAA01474@vulcan.xs4all.nl>
References: <20050216141344.GA31989@boston.com>
<200502161532.QAA01474@vulcan.xs4all.nl>
Message-ID: <581a2c87-4737-47e0-8b48-eac5a09882de@gir.boston.com>
* Johan Wevers [2005/02/16 16:32]:
> Darren Chamberlain wrote:
>
> >So this would be when we start putting:
> > digest-algo RIPEMD160
> >in our gpg.conf, right?
>
> How about SHA-256 and 512? Are they based on SHA-1? And how about
> getting Tiger-192 back?
David Shaw just said[0]:
> Finally, if you have a DSA signing key (most people do) you are
> required to use either SHA-1 or RIPEMD/160. RSA signing keys can
> use any hash.
I'm one of "most people", apparently, since gpg threw an error when I
specified SHA-256. :)
(darren)
[0]
--
Three things in human life are important: the first is to be kind; the
second is to be kind; and the third is to be kind.
-- Henry James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : /pipermail/attachments/20050216/3c828328/attachment.pgp
From atom at smasher.org Wed Feb 16 17:13:23 2005
From: atom at smasher.org (Atom Smasher)
Date: Wed Feb 16 17:08:00 2005
Subject: SHA1 broken?
In-Reply-To: <20050216144419.GC21336@jabberwocky.com>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
Message-ID: <20050216161147.43569.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 16 Feb 2005, David Shaw wrote:
> In terms of GnuPG: it's up to you whether you want to switch hashes or
> not. GnuPG supports all of the SHA-2 hashes, so they are at least
> available. Be careful you don't run up against compatibility problems:
> PGP doesn't support 384 or 512, and only recently started supporting
> 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new
> hashes. Finally, if you have a DSA signing key (most people do) you are
> required to use either SHA-1 or RIPEMD/160. RSA signing keys can use
> any hash.
====================
there's more to it than that. openPGP specifies SHA-1 (and nothing else)
as the hash used to generate key fingerprints, and is what key IDs are
derived from.
a real threat if this can be extended into a practical attack is
substituting a key with a *different* key having the same ID and
fingerprint. it would be difficult for average users (and impossible for
the current openPGP infrastructure) to tell bob's key from mallory's key
that claims to be bob's.
it can also be used (if the attack becomes practical) to forge key
signatures. mallory can create a bogus key and "sign" it with anyone's
real key. this would turn the web of trust into dust.
the openPGP spec seemed to have assumed that SHA-1 just wouldn't fail.
ever. this was the same mistake made in the original version of pgp that
relied on md5. the spec needs to allow a choice of hash algorithms for
fingerprints and key IDs, or else we'll play this game every time someone
breaks a strong hash algorithm.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Any sufficiently advanced technology
is indistinguishable from magic."
-- Arthur C. Clarke
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCE3EoAAoJEAx/d+cTpVcinwsIAKnjw1AqwY0guPtdxMagoZC2
Rv7mCZt3QnpH4uEaWNLh5R3VImVwOBevW9VdYm+UdMwdmodD79Bc0MyPOaHDuUiP
okmo0PigWIht2vGWK7F6xLtUwLUlGyuAWO5w8g/hNCt0ftdb1jUam0wQtqnTTarM
B1kyTWU0sHsjyloSh0umQ8kC0nt9nNhLIasp84oIo+D3b0r6yKIWjMS7dHr1hIbx
2gXBdVw01HJng/BtF/THfZwAD2IE+OLNPg4Q6v6QnVf3BGBBPSiiD2mXrizuknA8
RevXGYgBc4plOWOlDmx2ydbRqFHe5obGMGFCk4muFh8veFhPbFxCKvfBwsawi+U=
=f0+g
-----END PGP SIGNATURE-----
From sk at intertivity.com Wed Feb 16 17:12:07 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 16 17:08:14 2005
Subject: SHA1 broken?
In-Reply-To: <20050216144419.GC21336@jabberwocky.com>
Message-ID: <000901c51442$44274af0$f300a8c0@HOME>
Not really true.
If your wall is 100 meters (i dont how to calculate in foot) high,
and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters
high. Which is actually a big difference. But it's that it is still higher
than the MD5 wall. :)
On 16. Februar 2005 15:44, David Shaw wrote:
> However, in the real world this doesn't seem like a very
> useful attack. It's rather like someone pointing out that
> the 100 foot high wall around your house is only 50 feet
> high. True, the wall is not as tell as claimed, but it's
> still probably taller than it needs to be. To put this in
> perspective, the "broken" SHA-1 is stronger than MD5 was
> thought to be before the MD5 breaks were discovered (MD5 was 2^64).
From dshaw at jabberwocky.com Wed Feb 16 17:19:43 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 17:19:51 2005
Subject: SHA1 broken?
In-Reply-To: <000901c51442$44274af0$f300a8c0@HOME>
References: <20050216144419.GC21336@jabberwocky.com>
<000901c51442$44274af0$f300a8c0@HOME>
Message-ID: <20050216161943.GA23828@jabberwocky.com>
On Wed, Feb 16, 2005 at 05:12:07PM +0100, Kiefer, Sascha wrote:
> Not really true.
> If your wall is 100 meters (i dont how to calculate in foot) high,
> and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters
> high. Which is actually a big difference. But it's that it is still higher
> than the MD5 wall. :)
Sure, assuming the SHA-1 "wall" was only 100 meters high in the first
place...
David
From sk at intertivity.com Wed Feb 16 17:28:40 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Wed Feb 16 17:24:54 2005
Subject: SHA1 broken?
In-Reply-To: <20050216161943.GA23828@jabberwocky.com>
Message-ID: <000501c51444$93922f90$f300a8c0@HOME>
Yes... But you started it ... :)
Just wanted to say that the difference is enormous.
As cpu speed grows (and so on) it's just a matter of time!
> On Wed, Feb 16, 2005 at 05:12:07PM +0100, Kiefer, Sascha wrote:
> > Not really true.
> > If your wall is 100 meters (i dont how to calculate in
> foot) high, and
> > the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters
> > high. Which is actually a big difference. But it's that it is still
> > higher than the MD5 wall. :)
>
> Sure, assuming the SHA-1 "wall" was only 100 meters high in
> the first place...
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From dshaw at jabberwocky.com Wed Feb 16 17:56:09 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 17:52:56 2005
Subject: SHA1 broken?
In-Reply-To: <20050216161147.43569.qmail@smasher.org>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
Message-ID: <20050216165609.GB23828@jabberwocky.com>
On Wed, Feb 16, 2005 at 11:13:23AM -0500, Atom Smasher wrote:
> On Wed, 16 Feb 2005, David Shaw wrote:
>
> > In terms of GnuPG: it's up to you whether you want to switch hashes or
> > not. GnuPG supports all of the SHA-2 hashes, so they are at least
> > available. Be careful you don't run up against compatibility problems:
> > PGP doesn't support 384 or 512, and only recently started supporting
> > 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new
> > hashes. Finally, if you have a DSA signing key (most people do) you are
> > required to use either SHA-1 or RIPEMD/160. RSA signing keys can use
> > any hash.
> ====================
>
> there's more to it than that. openPGP specifies SHA-1 (and nothing else)
> as the hash used to generate key fingerprints, and is what key IDs are
> derived from.
>
> a real threat if this can be extended into a practical attack is
> substituting a key with a *different* key having the same ID and
> fingerprint. it would be difficult for average users (and impossible for
> the current openPGP infrastructure) to tell bob's key from mallory's key
> that claims to be bob's.
>
> it can also be used (if the attack becomes practical) to forge key
> signatures. mallory can create a bogus key and "sign" it with anyone's
> real key. this would turn the web of trust into dust.
If you presuppose a workable attack you can conjecture any result you
like. Let's not go off the deep end here.
Skipping completely over the point that the paper has not been
published yet so it can be checked over by the cryptographic
community, let's assume that they have indeed done what they claim to
have done: demonstrated they can find a collision in 2^69 instead of
2^80 operations. A collision attack. Not a preimage attack. And
it's not workable in practice. How many entities have the ability to
do 2^69 operations in a sane amount of time?
Without more information, it looks to me like we are now in the
position we were in with MD5 several years ago. It's not broken in
practical terms yet. Attacks don't get worse over time, of course, so
we need to start moving to something better. SHA-1 was already being
phased out:
http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp
To be sure, this is bad, but the sky isn't falling yet.
David
From dshaw at jabberwocky.com Wed Feb 16 17:57:36 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 17:54:21 2005
Subject: SHA1 broken?
In-Reply-To: <000501c51444$93922f90$f300a8c0@HOME>
References: <20050216161943.GA23828@jabberwocky.com>
<000501c51444$93922f90$f300a8c0@HOME>
Message-ID: <20050216165736.GA23931@jabberwocky.com>
On Wed, Feb 16, 2005 at 05:28:40PM +0100, Kiefer, Sascha wrote:
> Yes... But you started it ... :)
> Just wanted to say that the difference is enormous.
> As cpu speed grows (and so on) it's just a matter of time!
Yes it is. Assuming this is true, we must start migrating away from
SHA-1. Actually, we should start this anyway - even the NIST
recommends moving away from SHA-1 for long-term security.
David
From atom at smasher.org Wed Feb 16 18:20:52 2005
From: atom at smasher.org (Atom Smasher)
Date: Wed Feb 16 18:15:37 2005
Subject: SHA1 broken?
In-Reply-To: <20050216165609.GB23828@jabberwocky.com>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
Message-ID: <20050216171915.81275.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 16 Feb 2005, David Shaw wrote:
> Without more information, it looks to me like we are now in the position
> we were in with MD5 several years ago. It's not broken in practical
> terms yet. Attacks don't get worse over time, of course, so we need to
> start moving to something better. SHA-1 was already being phased out:
> http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp
>
> To be sure, this is bad, but the sky isn't falling yet.
===============
agreed. my point is really that the fingerprint/ID hash algo shouldn't be
carved in stone. like most other parts of the openPGP spec, it should be
flexible and user defined (within certain constraints). as time goes by,
strong algorithms are proven to be not as strong as originally thought.
this has happened to MD5, is now happening to SHA-1, and will just as
likely happen to the next generation of hash algorithms. the spec needs to
adapt to this landscape, not be re-written every time a hash is broken.
the spec has it right where the digest and cipher algorithms are
concerned, and that needs to be adapted to fingerprints and key IDs.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"I've always thought that underpopulated countries in
Africa are vastly under-polluted."
-- Lawrence Summers,
chief economist of the World Bank,
explaining why we should export toxic wastes
to Third World countries
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCE4D6AAoJEAx/d+cTpVci2BwIAJaMmw4NGLCEzaTOC6fTqRit
7ymuHFsmGkXScFFnB6V3ELV4PFQEvY0tyw+3ZgFXEYX4/67q/UPQxHpNHzHjjMn8
w/tp7qgKEE6/PKRWsUBJBaXIyZ/6TYmdZIX0XlkJcW2/b2lWWVvo8FcxJ+FjsU+W
zBY6YrlFMbn+3f08A8lWp3JUVK1L8iZLaC8fiZ46UpJWnE4Idwt+V5RAGTrocaQR
CYCcT8TSl27xMAWHJWcLM5dXnrxOP6fpLCUOhSvR1+YrfnhoWZJRP5rEzA6WPRZi
IWTQpy0UmkTqECEtgOcXJOYSYmLEcOScFrw7Hn9j5xeO5U6hioEo/AvF70L1/lc=
=v9e1
-----END PGP SIGNATURE-----
From dany_list at natzo.com Wed Feb 16 18:45:50 2005
From: dany_list at natzo.com (Dany Nativel)
Date: Wed Feb 16 18:42:06 2005
Subject: Backup with encryption
In-Reply-To:
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com>
Message-ID: <421386CE.2030103@natzo.com>
What about Duplicity ?
http://www.nongnu.org/duplicity/
Dany
Mads Munch Hansen wrote:
> Greg Sabino Mullane wrote:
>
>>
>>
>>>> I work actually on a system of backup on my server and to secure my
>>>> data i
>>>> encrypt it with gnupg. But i have a problem, actually i have export my
>>>> public key and i don't know how to export my secret-key because if
>>>> i have a
>>>> crash on my server all my data could not be decryt because i
>>>> haven't the
>>>> secret key i have made a test. Then my question how can i made a
>>>> backup ok
>>>> my secret-key to decrypt my data before a crash?
>>>
>>
>>
>> You could also use plain-old symmetric encryption:
>>
>> gpg -ca yourfile
>>
>> (the "a" is optional but makes the files easy to recognize and send
>> through
>> email)
>>
>> The only thing you have to worry about then is forgetting the password.
>>
>> --
>> Greg Sabino Mullane greg@turnstep.com
>> PGP Key: 0x14964AC8 200502152313
>> http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
>
>
> That would mean he would have to input a passphrase everytime he does a
> backups, or make a script that does it for him, which could be a
> potential security risk. By using a public key, the backups can be done
> unatended with no risk of passphrase being compromised if the script(s)
> are. (it would be a good idea nontheless to keep the secret key on
> another system though)
>
> Regards
> Mads
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
From wk at gnupg.org Wed Feb 16 19:54:35 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 16 19:51:07 2005
Subject: SHA1 broken?
In-Reply-To: <20050216165736.GA23931@jabberwocky.com> (David Shaw's message
of "Wed, 16 Feb 2005 11:57:36 -0500")
References: <20050216161943.GA23828@jabberwocky.com>
<000501c51444$93922f90$f300a8c0@HOME>
<20050216165736.GA23931@jabberwocky.com>
Message-ID: <87u0ocz66s.fsf@wheatstone.g10code.de>
On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said:
> Yes it is. Assuming this is true, we must start migrating away from
> SHA-1. Actually, we should start this anyway - even the NIST
> recommends moving away from SHA-1 for long-term security.
The real problem with the breakthrough is, that it seems that they
have developed a new cryptoanalytical method and that might pave the
way for further improvements. Over the last 2 decades the art of
cryptoanalysis has changed dramatically in the area of symmetric
ciphers. This will probably also happen to hash algorithms now.
There is however a huge problem replace SHA-1 by something else from
now to tomorrow: Other algorithms are not as well anaylyzed and
compared against SHA-1 as for example AES to DES are; so there is no
immediate successor of SHA-1 of whom we can be sure to withstand the
possible new techniques. Second, SHA-1 is tightly integrated in many
protocols without a fallback algorithms (OpenPGP: fingerprints, MDC,
default signature algorithm and more).
Salam-Shalom,
Werner
From wk at gnupg.org Wed Feb 16 19:59:24 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 16 19:56:02 2005
Subject: SHA1 broken?
In-Reply-To: <20050216171915.81275.qmail@smasher.org> (Atom Smasher's
message of "Wed, 16 Feb 2005 12:20:52 -0500 (EST)")
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
<20050216171915.81275.qmail@smasher.org>
Message-ID: <87psz0z5yr.fsf@wheatstone.g10code.de>
On Wed, 16 Feb 2005 12:20:52 -0500 (EST), Atom Smasher said:
> agreed. my point is really that the fingerprint/ID hash algo shouldn't
> be carved in stone. like most other parts of the openPGP spec, it
> should be flexible and user defined (within certain constraints). as
Flexibility opens the road for rollback attacks. Thus it is sound to
rely on one specific algorithm for certain problem domains.
Assuming that the SHA-1 collision calculation is simialar to the MD5
one, tehre is even no immediate danger due to the way the fingerprints
are calculated: The first block used in the fingerprint calculation is
more or less a constant and can't be change to create a working faked
key.
Shalom-Salam,
Werner
From wk at gnupg.org Wed Feb 16 20:02:20 2005
From: wk at gnupg.org (Werner Koch)
Date: Wed Feb 16 20:01:00 2005
Subject: SHA1 broken?
In-Reply-To: <20050216141344.GA31989@boston.com> (Darren Chamberlain's
message of "Wed, 16 Feb 2005 09:13:44 -0500")
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216141344.GA31989@boston.com>
Message-ID: <87ll9oz5tv.fsf@wheatstone.g10code.de>
On Wed, 16 Feb 2005 09:13:44 -0500, Darren Chamberlain said:
> digest-algo RIPEMD160
> in our gpg.conf, right?
Assume that you have the power to create a calculation. What would be
your target: A single message or a CA key?
I'd go for a CA or other important key. Here we rely on SHA-1 for
fingerprint calculation and the fingerprint is that piece of
information we almost always use to compare keys. You can't change
that.
Salam-Shalom,
Werner
From dshaw at jabberwocky.com Wed Feb 16 20:08:11 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed Feb 16 20:05:03 2005
Subject: SHA1 broken?
In-Reply-To: <87u0ocz66s.fsf@wheatstone.g10code.de>
References: <20050216161943.GA23828@jabberwocky.com>
<000501c51444$93922f90$f300a8c0@HOME>
<20050216165736.GA23931@jabberwocky.com>
<87u0ocz66s.fsf@wheatstone.g10code.de>
Message-ID: <20050216190811.GA24054@jabberwocky.com>
On Wed, Feb 16, 2005 at 07:54:35PM +0100, Werner Koch wrote:
> On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said:
>
> > Yes it is. Assuming this is true, we must start migrating away from
> > SHA-1. Actually, we should start this anyway - even the NIST
> > recommends moving away from SHA-1 for long-term security.
>
> The real problem with the breakthrough is, that it seems that they
> have developed a new cryptoanalytical method and that might pave the
> way for further improvements. Over the last 2 decades the art of
> cryptoanalysis has changed dramatically in the area of symmetric
> ciphers. This will probably also happen to hash algorithms now.
>
> There is however a huge problem replace SHA-1 by something else from
> now to tomorrow: Other algorithms are not as well anaylyzed and
> compared against SHA-1 as for example AES to DES are; so there is no
> immediate successor of SHA-1 of whom we can be sure to withstand the
> possible new techniques. Second, SHA-1 is tightly integrated in many
> protocols without a fallback algorithms (OpenPGP: fingerprints, MDC,
> default signature algorithm and more).
Yes. The update cannot happen overnight. I see this like MD5 a few
years back. It is time to start the migration now because it will
certainly take several years to complete.
As you point out, the first step in the migration is knowing what to
migrate to, and that is not at all clear yet. Until we know what
we're doing, I think we can do more harm by running around crazy and
changing things without careful study.
David
From jason.barnett at telesuite.com Wed Feb 16 20:22:01 2005
From: jason.barnett at telesuite.com (Jason Barnett)
Date: Wed Feb 16 20:21:43 2005
Subject: Newsgroup signing error
In-Reply-To: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
Message-ID:
vedaal@hush.com wrote:
> if sha-1 does turn out to be as weak/broken as md-5,
>
...
My apologies for responding to this thread instead of starting a new
one, but I need to do this as a reply for a test.
I am a member of another newsgroup (php.general) where I regularly post
messages and sign them. However, I have noticed that some of my
messages will sign correctly while others do not. I use Thunderbird 1.0
with Enigmail 0.90.1.1 to post / read messages from that server. So my
question is: is this really a news server error or a bug in my news reader?
From bogus@does.not.exist.com Thu Feb 3 21:55:48 2005
From: bogus@does.not.exist.com ()
Date: Wed Feb 16 20:21:43 2005
Subject: No subject
Message-ID:
when I respond to a message and / or cut out part of the message using
ellipses (...).
I would assume that a gpg.user newsgroup would be able to handle gpg
signed messages correctly so hopefully this message will sign correctly.
Then again I've been wrong about other things in the past. ;)
>
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427
From jason.barnett at telesuite.com Wed Feb 16 20:35:17 2005
From: jason.barnett at telesuite.com (Jason Barnett)
Date: Wed Feb 16 20:33:56 2005
Subject: Newsgroup signing error
In-Reply-To:
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
Message-ID:
Jason Barnett wrote:
> I would assume that a gpg.user newsgroup would be able to handle gpg
> signed messages correctly so hopefully this message will sign correctly.
> Then again I've been wrong about other things in the past. ;)
...
I suppose it would be a better test if I had actually signed my
message
>
>>Promote security and make money with the Hushmail Affiliate Program:
>>http://www.hushmail.com/about-affiliate?l=427
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050216/e30bdf6f/signature.pgp
From swright at physics.adelaide.edu.au Wed Feb 16 20:54:17 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Wed Feb 16 20:51:02 2005
Subject: Newsgroup signing error
In-Reply-To:
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
Message-ID: <20050216195417.GD25431@anl.gov>
G'day possible Person Impersonating Jason, ;-)
* Jason Barnett [050216 13:41]:
> I suppose it would be a better test if I had actually signed my
> message
Your signature failed.
Have you tried emailing yourself and then replying with your '...'
and checking that?
Have you tried using one of the testing newsgroups for testing?
Have you tried getting your news from some other online source (like
Google)?
Have you tried anything except mailing us?
It might be useful so we can exclude possible problems......
Oh, just so you know it will work:
...
...
...
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050216/228c2cb3/attachment.pgp
From jharris at widomaker.com Wed Feb 16 21:05:07 2005
From: jharris at widomaker.com (Jason Harris)
Date: Wed Feb 16 21:01:24 2005
Subject: SHA1 broken?
In-Reply-To: <87psz0z5yr.fsf@wheatstone.g10code.de>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
<20050216171915.81275.qmail@smasher.org>
<87psz0z5yr.fsf@wheatstone.g10code.de>
Message-ID: <20050216200506.GE1184@wilma.widomaker.com>
On Wed, Feb 16, 2005 at 07:59:24PM +0100, Werner Koch wrote:
> Assuming that the SHA-1 collision calculation is simialar to the MD5
> one, tehre is even no immediate danger due to the way the fingerprints
> are calculated: The first block used in the fingerprint calculation is
> more or less a constant and can't be change to create a working faked
> key.
The key creation time can be varied at will, and, I presume, v4 RSA
key material can be too, a la v3 "vanity" keyids. But, is duplicating
v4 key fingerprints a useful attack?
While two v4 keys with the same fingerprint could "steal" userid
certifications made by others, any signatures produced by the
colliding keys, including selfsigs on their userids, can _not_
be "stolen," TTBOMK.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050216/86a7f44b/attachment.pgp
From malte.gell at gmx.de Wed Feb 16 21:38:33 2005
From: malte.gell at gmx.de (Malte Gell)
Date: Wed Feb 16 21:35:37 2005
Subject: Newsgroup signing error
In-Reply-To:
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
Message-ID: <200502162138.55749.malte.gell@gmx.de>
On Wednesday 16 February 2005 20:35, Jason Barnett wrote:
> I suppose it would be a better test if I had actually signed my
> message
Your signature failed. Recently David reported an issue with PGP/MIME
signatures and GnuPG 1.4, but this is more a MUA issue than a GnuPG
issue, see his announcement from Jan-05:
http://marc.theaimsgroup.com/?l=gnupg-users&m=110608002711441&w=2
It seems you use Enigmail, could post a new message to the list, but
with an inline signature and not PGP/MIME signed? If this signature
works then you know it's an Enigmail issue.
HTH
Malte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 400 bytes
Desc: not available
Url : /pipermail/attachments/20050216/aa46ae24/attachment-0001.pgp
From johanw at vulcan.xs4all.nl Wed Feb 16 20:59:04 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed Feb 16 22:10:35 2005
Subject: SHA1 broken?
In-Reply-To: <20050216161147.43569.qmail@smasher.org> from Atom Smasher at
"Feb 16, 2005 11:13:23 am"
Message-ID: <200502161959.UAA00501@vulcan.xs4all.nl>
Atom Smasher wrote:
>the openPGP spec seemed to have assumed that SHA-1 just wouldn't fail.
>ever. this was the same mistake made in the original version of pgp that
>relied on md5.
Well, the original pgp 1.0 used MD4. When that was broken, it got replaced
by MD5. This does require the OpenPGP spec to be adapted of course. And in
the pgp 1 and 2 age, the web of trust was of course much smaller than it is
now, so it required less work.
>the spec needs to allow a choice of hash algorithms for fingerprints and
>key IDs, or else we'll play this game every time someone breaks a strong
>hash algorithm.
That would be a more flexible approach than hardwiring a new hashalgo each
time the previous one was broken. Perhaps a reason to re-add the 1.0 way
of adding encryption and hash functions as dynamic loadable modules to the
main program?
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From swright at physics.adelaide.edu.au Wed Feb 16 22:18:24 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Wed Feb 16 22:15:00 2005
Subject: Newsgroup signing error
In-Reply-To: <20050216195417.GD25431@anl.gov>
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
<20050216195417.GD25431@anl.gov>
Message-ID: <20050216211824.GA29469@anl.gov>
G'day Paul, (Sending this back to the GnuPG-users list)
* Paul Squires [050216 15:08]:
> Stewart V. Wright wrote:
> > G'day possible Person Impersonating Jason, ;-)
> >
> > * Jason Barnett [050216 13:41]:
> >
> >>I suppose it would be a better test if I had actually signed my
> >>message
> >
> >
> > Your signature failed.
>
> Which is odd since as far as /my/ mailer is concerned, it didn't (also
> using TB/enigmail).
Ah, well, there's your problem then. See the other post about broken
mailers...
> Guess an MTA must be amending the message somewhere along the line...
Nope, just a flakey implementation of RFC-3156. This would make sense
as your clear-signed message worked for me. (I gather RFC-3156 is
PGP/MIME related from reading David's previous email.)
Cheers,
S.
P.S. It's sooooo easy to be patronising when one uses mutt! ;-)
P.P.S I'm intrigued. Does your mailer verify my signature
as the previous line ended with a couple of spaces.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050216/c007c77a/attachment.pgp
From andy at strugglers.net Wed Feb 16 23:23:38 2005
From: andy at strugglers.net (Andy Smith)
Date: Thu Feb 17 00:23:27 2005
Subject: subkeys problem
Message-ID: <20050216222338.GR82728@caffreys.strugglers.net>
Hi folks,
I have a gpg key, which can be found at
http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B.
A while ago I decided to revoke the encryption key and generate a
new encryption key with 2048 bits instead of 1024. I thought it had
worked so went ahead and revoked the encryption subkey, 0x9EE99022.
The new encryption subkey is 0x604DE5DB.
The problem is that, I still receive things encrypted to 0x9EE99022.
I tell people to make sure they have imported my key and when they
try they tell me that they get "subkey errors". I also note that
some keyservers contain a version of my key with no reference to the
subkey 0x604DE5DB. I try to upload a new version but nothing seems
to happen.
Someone said this was something to do with subkeys and that I should
use the keyserver subkeys.pgp.net. Using that keyserver I can
upload something that does seem to represent my key properly, but
others (who also use gpg) cannot get my key from there.
So my questions are..
- Did I do something stupid?
- Is it recoverable without having revoke my keys entirely and start
again with new ones?
Thanks,
Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050216/c1766e60/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 17 00:38:57 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 00:35:45 2005
Subject: subkeys problem
In-Reply-To: <20050216222338.GR82728@caffreys.strugglers.net>
References: <20050216222338.GR82728@caffreys.strugglers.net>
Message-ID: <20050216233857.GB24054@jabberwocky.com>
On Wed, Feb 16, 2005 at 10:23:38PM +0000, Andy Smith wrote:
> Hi folks,
>
> I have a gpg key, which can be found at
> http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B.
>
> A while ago I decided to revoke the encryption key and generate a
> new encryption key with 2048 bits instead of 1024. I thought it had
> worked so went ahead and revoked the encryption subkey, 0x9EE99022.
> The new encryption subkey is 0x604DE5DB.
>
> The problem is that, I still receive things encrypted to 0x9EE99022.
> I tell people to make sure they have imported my key and when they
> try they tell me that they get "subkey errors". I also note that
> some keyservers contain a version of my key with no reference to the
> subkey 0x604DE5DB. I try to upload a new version but nothing seems
> to happen.
>
> Someone said this was something to do with subkeys and that I should
> use the keyserver subkeys.pgp.net. Using that keyserver I can
> upload something that does seem to represent my key properly, but
> others (who also use gpg) cannot get my key from there.
I'd need to get a better error report than "subkey errors" to help
you, I'm afraid.
For what it's worth, I pulled your key from all of the servers that
make up subkeys.pgp.net and it was fine on each of them.
David
From jason.barnett at telesuite.com Thu Feb 17 00:37:57 2005
From: jason.barnett at telesuite.com (Jason Barnett)
Date: Thu Feb 17 00:36:27 2005
Subject: Newsgroup signing error
In-Reply-To: <20050216195417.GD25431__38779.8776537695$1108583674$gmane$org@anl.gov>
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
<20050216195417.GD25431__38779.8776537695$1108583674$gmane$org@anl.gov>
Message-ID:
Stewart V. Wright wrote:
> G'day possible Person Impersonating Jason, ;-)
I know, I know. I've just started using GPG and don't have anyone in my
web of trust yet... still working on that part :)
>
> * Jason Barnett [050216 13:41]:
>
>>I suppose it would be a better test if I had actually signed my
>>message
>
>
> Your signature failed.
>
>
> Have you tried emailing yourself and then replying with your '...'
> and checking that?
Yep... my message gets signed correctly.
>
> Have you tried using one of the testing newsgroups for testing?
I didn't know those existed. I have posted messages to several
newgroups, but if you tell me which group(s) are out there for this
purpose I will gladly try that.
>
> Have you tried getting your news from some other online source (like
> Google)?
I *was* doing everything through my newsreader; I will try that as well.
>
> Have you tried anything except mailing us?
Absolutely! When I first set everything up my first tests were emails
to myself to see if I created good signatures. I even tested encryption
to make sure that encrypted messages went through ok, and finally I sent
messages that were both encrypted *and* signed to myself to see if those
checked out ok... which they did.
>
> It might be useful so we can exclude possible problems......
>
>
> Oh, just so you know it will work:
>
> ...
...
>
Yes, strange I know. I had someone on the Enigmail mailing list suggest
that the news server and/or my reader might be adding an extra period
after the ellipses. Now mind you I don't know who the culprit is, but I
did notice this behavior on several of the failed-signature messages.
So, I wrote here in the hopes of testing whether it's a reader issue or
a server issue.
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From jason.barnett at telesuite.com Thu Feb 17 00:44:10 2005
From: jason.barnett at telesuite.com (Jason Barnett)
Date: Thu Feb 17 00:42:29 2005
Subject: Newsgroup signing error
In-Reply-To: <20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov>
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
<20050216195417.GD25431@anl.gov>
<20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov>
Message-ID:
Stewart V. Wright wrote:
> G'day Paul, (Sending this back to the GnuPG-users list)
>
>
...
>>>
>>>Your signature failed.
>>
>>Which is odd since as far as /my/ mailer is concerned, it didn't (also
>>using TB/enigmail).
>
>
> Ah, well, there's your problem then. See the other post about broken
> mailers...
>
>
>>Guess an MTA must be amending the message somewhere along the line...
>
>
> Nope, just a flakey implementation of RFC-3156. This would make sense
> as your clear-signed message worked for me. (I gather RFC-3156 is
> PGP/MIME related from reading David's previous email.)
This makes sense (wish I had read this before my last message to this
group!). I have been using PGP/MIME rather than clear-signed messages
all along.
>
>
> Cheers,
>
> S.
>
>
> P.S. It's sooooo easy to be patronising when one uses mutt! ;-)
Yeah, yeah.
>
> P.P.S I'm intrigued. Does your mailer verify my signature
> as the previous line ended with a couple of spaces.
FYI Thunderbird / Enigmail 0.90.1.1 verified your signature as
"UNTRUSTED Good signature from Stewart V. Wright
"
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From andy at strugglers.net Thu Feb 17 01:05:47 2005
From: andy at strugglers.net (Andy Smith)
Date: Thu Feb 17 01:01:57 2005
Subject: subkeys problem
In-Reply-To: <20050216233857.GB24054@jabberwocky.com>
References: <20050216222338.GR82728@caffreys.strugglers.net>
<20050216233857.GB24054@jabberwocky.com>
Message-ID: <20050217000547.GU82728@caffreys.strugglers.net>
On Wed, Feb 16, 2005 at 06:38:57PM -0500, David Shaw wrote:
> I'd need to get a better error report than "subkey errors" to help
> you, I'm afraid.
>
> For what it's worth, I pulled your key from all of the servers that
> make up subkeys.pgp.net and it was fine on each of them.
Hi David,
Thanks for that. If you now attempt to encrypt something to
"andy@strugglers.net", do you end up encrypting to the correct key?
I will try to get the exact error messages that others report.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050217/f7b7cb84/attachment.pgp
From swright at physics.adelaide.edu.au Thu Feb 17 01:32:35 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Thu Feb 17 01:29:18 2005
Subject: Newsgroup signing error
In-Reply-To:
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
<20050216195417.GD25431@anl.gov>
<20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov>
Message-ID: <20050217003235.GC29469@anl.gov>
G'day Jason,
* Jason Barnett [050216 17:55]:
>
> This makes sense (wish I had read this before my last message to this
> group!). I have been using PGP/MIME rather than clear-signed messages
> all along.
Without wanting to start too much of a argument, it seems from my
reading that the preferred way of sending messages should be
PGP/MIME. The benefits over inline signatures, including being able
to include attachments in the signed message and non-ASCII characters
are significant.
However, many people will disagree...
> > P.P.S I'm intrigued. Does your mailer verify my signature
> > as the previous line ended with a couple of spaces.
>
> FYI Thunderbird / Enigmail 0.90.1.1 verified your signature as
> "UNTRUSTED Good signature from Stewart V. Wright
> "
Well, as they say "every cloud has a silver lining" and at least
Thunderbird / Enigmail does the right thing for properly formatted
messages.
You can now trust what we tell you, even if we can't trust your
replies! ;-)
Good luck with finding a solution.
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050216/2b0827fc/attachment-0001.pgp
From jharris at widomaker.com Thu Feb 17 01:34:28 2005
From: jharris at widomaker.com (Jason Harris)
Date: Thu Feb 17 01:30:41 2005
Subject: subkeys problem
In-Reply-To: <20050216222338.GR82728@caffreys.strugglers.net>
References: <20050216222338.GR82728@caffreys.strugglers.net>
Message-ID: <20050217003428.GF1184@wilma.widomaker.com>
On Wed, Feb 16, 2005 at 10:23:38PM +0000, Andy Smith wrote:
> I have a gpg key, which can be found at
> http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B.
> A while ago I decided to revoke the encryption key and generate a
> new encryption key with 2048 bits instead of 1024. I thought it had
> worked so went ahead and revoked the encryption subkey, 0x9EE99022.
> The new encryption subkey is 0x604DE5DB.
> The problem is that, I still receive things encrypted to 0x9EE99022.
> Someone said this was something to do with subkeys and that I should
> use the keyserver subkeys.pgp.net. Using that keyserver I can
> upload something that does seem to represent my key properly, but
> others (who also use gpg) cannot get my key from there.
Your key on the SKS servers has a lot of subkey signatures
misplaced on userids:
%gpg -v --keyserver keyserver.noreply.org --recv 0x604DE5DB
gpg: requesting key 604DE5DB from hkp server keyserver.noreply.org
Host: keyserver.noreply.org
Command: GET
gpgkeys: HTTP URL is `hkp://keyserver.noreply.org/pks/lookup?op=get&options=mr&search=0x604DE5DB'
gpg: armor header: Version: SKS 1.0.9
gpg: pub 1024D/BF15490B 1998-08-12 Andy J. Smith
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: no subkey for subkey revocation signature
gpg: key BF15490B: no subkey for key revocation
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: removed multiple subkey binding
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey binding
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: invalid subkey revocation
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: subkey signature in wrong place - skipped
gpg: key BF15490B: skipped subkey
gpg: key BF15490B: public key "Andy Smith " imported
gpg: Total number processed: 1
gpg: imported: 1
but it looks like most of its subkeys are in order:
%gpg -v ...
[snip]
sub 2048g/9EE99022 1998-08-12 [revoked: 2002-03-30]
sig! BF15490B 1998-08-12 Andy Smith <>
rev! BF15490B 2002-03-30 Andy Smith <>
sub 2048g/604DE5DB 2004-05-28
sig! BF15490B 2004-05-28 Andy Smith <>
sub 4096g/AD7623D2 2002-03-30 [revoked: 2002-03-30]
sig! BF15490B 2002-03-30 Andy Smith <>
rev! BF15490B 2002-03-30 Andy Smith <>
sub 4096G/237C258F 2002-03-30 [revoked: 2004-05-28]
sig! BF15490B 2002-03-30 Andy Smith <>
rev! BF15490B 2004-05-28 Andy Smith <>
sub 4096g/2F6F4447 2002-07-25 [revoked: 2004-05-28]
sig! BF15490B 2002-07-25 Andy Smith <>
rev! BF15490B 2004-05-28 Andy Smith <>
except for that nagging "gpg: key BF15490B: skipped subkey,"
which would seem to refer to:
(NB: output from keyserver.kjsl.com:11371)
sub 4096g/788FA859 2002-07-25 [subkey, revoked?]
Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859
sig 0x18 BF15490B 2002-07-25 [keybind, hash: type 2, 7f 15]
rev 0x28 BF15490B 2002-07-25 [keybind, hash: type 2, 21 78]
rev 0x28 BF15490B 2002-03-30 [keybind, hash: type 2, a9 dd]
which only has bad signatures from other subkeys and isn't even
importable from http://strugglers.net/pubkey.asc :
%gpg --import pubkey.asc
gpg: key BF15490B: "Andy Smith " not changed
gpg: Total number processed: 1
gpg: unchanged: 1
%gpg -k 788FA859
gpg: error reading key: public key not found
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050216/24fc3020/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 17 02:03:12 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 02:00:02 2005
Subject: subkeys problem
In-Reply-To: <20050217000547.GU82728@caffreys.strugglers.net>
References: <20050216222338.GR82728@caffreys.strugglers.net>
<20050216233857.GB24054@jabberwocky.com>
<20050217000547.GU82728@caffreys.strugglers.net>
Message-ID: <20050217010312.GA24504@jabberwocky.com>
On Thu, Feb 17, 2005 at 12:05:47AM +0000, Andy Smith wrote:
> On Wed, Feb 16, 2005 at 06:38:57PM -0500, David Shaw wrote:
> > I'd need to get a better error report than "subkey errors" to help
> > you, I'm afraid.
> >
> > For what it's worth, I pulled your key from all of the servers that
> > make up subkeys.pgp.net and it was fine on each of them.
>
> Hi David,
>
> Thanks for that. If you now attempt to encrypt something to
> "andy@strugglers.net", do you end up encrypting to the correct key?
>
> I will try to get the exact error messages that others report.
Sure, it works fine.
To be sure, they key that is stored on the keyserver is full of all
sorts of bad data (data in the wrong place, etc), but GnuPG doesn't
really care about that, as it skips the bad stuff. The keyserver
operators may care to figure out how your key was so mangled, but
regular users should just see a good key for you. GnuPG doesn't even
print out the warnings about skipping bad data unless you ask for it.
David
From andy at strugglers.net Thu Feb 17 02:13:58 2005
From: andy at strugglers.net (Andy Smith)
Date: Thu Feb 17 02:10:09 2005
Subject: subkeys problem
In-Reply-To: <20050217003428.GF1184@wilma.widomaker.com>
References: <20050216222338.GR82728@caffreys.strugglers.net>
<20050217003428.GF1184@wilma.widomaker.com>
Message-ID: <20050217011358.GW82728@caffreys.strugglers.net>
Hi Jason,
On Wed, Feb 16, 2005 at 07:34:28PM -0500, Jason Harris wrote:
> Your key on the SKS servers has a lot of subkey signatures
> misplaced on userids:
[...]
How should I go about cleaning that up?
> but it looks like most of its subkeys are in order:
[...]
> except for that nagging "gpg: key BF15490B: skipped subkey,"
> which would seem to refer to:
>
> (NB: output from keyserver.kjsl.com:11371)
> sub 4096g/788FA859 2002-07-25 [subkey, revoked?]
> Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859
> sig 0x18 BF15490B 2002-07-25 [keybind, hash: type 2, 7f 15]
> rev 0x28 BF15490B 2002-07-25 [keybind, hash: type 2, 21 78]
> rev 0x28 BF15490B 2002-03-30 [keybind, hash: type 2, a9 dd]
>
> which only has bad signatures from other subkeys and isn't even
> importable from http://strugglers.net/pubkey.asc :
Thanks for that - what would you suggest I do to clean it up a bit
though? 0x788FA859 isn't even in my current key and I have no way
to remove information from key servers, right?
$ gpg --edit-key andy@strugglers.net
Secret key is available.
pub 1024D/BF15490B created: 1998-08-12 expires: never usage: CS
trust: ultimate validity: ultimate
sub 2048g/604DE5DB created: 2004-05-28 expires: never usage: E
sub 2048g/9EE99022 created: 1998-08-12 revoked: 2002-03-30 usage: E
sub 4096g/AD7623D2 created: 2002-03-30 revoked: 2002-03-30 usage: E
sub 4096G/237C258F created: 2002-03-30 revoked: 2004-05-28 usage:
sub 4096g/2F6F4447 created: 2002-07-25 revoked: 2004-05-28 usage: E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050217/67862120/attachment.pgp
From andy at strugglers.net Thu Feb 17 02:17:34 2005
From: andy at strugglers.net (Andy Smith)
Date: Thu Feb 17 02:13:42 2005
Subject: subkeys problem
In-Reply-To: <20050217010312.GA24504@jabberwocky.com>
References: <20050216222338.GR82728@caffreys.strugglers.net>
<20050216233857.GB24054@jabberwocky.com>
<20050217000547.GU82728@caffreys.strugglers.net>
<20050217010312.GA24504@jabberwocky.com>
Message-ID: <20050217011734.GX82728@caffreys.strugglers.net>
On Wed, Feb 16, 2005 at 08:03:12PM -0500, David Shaw wrote:
> To be sure, they key that is stored on the keyserver is full of all
> sorts of bad data (data in the wrong place, etc), but GnuPG doesn't
> really care about that, as it skips the bad stuff. The keyserver
> operators may care to figure out how your key was so mangled, but
> regular users should just see a good key for you. GnuPG doesn't even
> print out the warnings about skipping bad data unless you ask for it.
Unfortunately, I now have multiple correspondents who I would like
to receive encrypted mail from who cannot import my key at all using
gpg so that they can encrypt things to 0x604DE5DB.
I will get the exact error messages from them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050217/39ababfa/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 17 04:18:24 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 04:15:06 2005
Subject: [Announce] Second release candidate for 1.4.1 available
Message-ID: <20050217031824.GA24720@jabberwocky.com>
Hi!
We are pleased to announce the availability of a the second release
candidate for the forthcoming 1.4.1 version of GnuPG:
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2 (2.7M)
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1-1.4.1rc2.diff.bz2 (338K)
An installer for Windows is also available:
ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe (1.4M)
ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig
SHA-1 checksums for the above files are:
cfa9d6f4c7a0aa5b58df75e3b5480a8ccf223dea gnupg-1.4.1rc2.tar.bz2
21d4c2ef378e89b87123dc97c90989e8f1e09783 gnupg-1.4.1rc1-1.4.1rc2.diff.bz2
99f3bd0165cbfcbc2b562b42a3e0be64cec09b85 gnupg-w32cli-1.4.1rc2.exe
Please try these versions out and report any problems.
Noteworthy changes since 1.4.0:
* New --rfc2440-text option which controls how text is handled in
signatures. This is in response to some problems seen with
certain PGP/MIME mail clients and GnuPG version 1.4.0. More
details about this are available at
.
* New "import-unusable-sigs" and "export-unusable-sigs" tags for
--import-options and --export-options. These are off by default,
which causes GnuPG to not import or export key signatures that
are not usable (e.g. expired signatures).
* New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper
that uses the cURL library to retrieve
keys. This is disabled by default, but may be enabled with the
configure option --with-libcurl. Without this option, the
existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS
are not supported.
* When running a --card-status or --card-edit and a public key is
available, missing secret key stubs will be created on the fly.
Details of the key are listed too.
* The implicit packet dumping in double verbose mode is now sent
to stderr and not to stdout.
* Added countermeasures against the Mister/Zuccherato CFB attack
.
* [W32] The algorithm for the default home directory changed:
First we look at the environment variable GNUPGHOME, if this one
is not set, we check whether the registry entry
{HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this
fails we use a GnuPG directory below the standard application
data directory (APPDATA) of the current user. Only in the case
that this directory cannot be determined, the old default of
c:\gnupg will be used. The option --homedir still overrides all
of them.
* [W32] The locale selection under Windows changed. You need to
enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang.
For German you would use "de". If it is not set, GnuPG falls
back to HKLM. The languages files "*.mo" are expected in a
directory named "gnupg.nls" below the installation directory;
that directory must be stored in the registry at the same key as
above with the name "Install Directory".
* Add new --edit-key command "bkuptocard" to allow restoring a
card key from a backup.
* The "fetch" command of --card-edit now retrieves the key using
the default keyserver if no URL has been stored on the card.
Happy Hacking,
David, Timo, Werner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : /pipermail/attachments/20050216/75b7c48e/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 17 04:43:10 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 04:39:54 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050213162558.GA5569@anl.gov>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
<20050212050506.GE22456@jabberwocky.com>
<20050213162558.GA5569@anl.gov>
Message-ID: <20050217034310.GF24504@jabberwocky.com>
On Sun, Feb 13, 2005 at 10:25:58AM -0600, Stewart V. Wright wrote:
> > Try the attached spec. I think it should work now.
>
> Yup. I guess I should have RTFM for rm and just gone with the -f
> flag... Good catch!
Ok, good. I've made this change for 1.4.1.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : /pipermail/attachments/20050216/046ab1b4/attachment.pgp
From dshaw at jabberwocky.com Thu Feb 17 04:44:10 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 04:40:54 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050214210800.GR4175@psilocybe.teonanacatl.org>
References: <200502092045.54635.adam00f@ducksburg.com>
<20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
<20050212050506.GE22456@jabberwocky.com>
<20050214210800.GR4175@psilocybe.teonanacatl.org>
Message-ID: <20050217034410.GG24504@jabberwocky.com>
On Mon, Feb 14, 2005 at 04:08:00PM -0500, Todd wrote:
> In doing so, it seems like a nicer way to solve this would be to
> simply modify two automake files in gnupg to use pkglibexecdir instead
> of libexecdir. The attached patch against CVS does this and worked
> for me in my simple testing. It allows libexecdir to be set as one
> would normally set it and not have to worry about the gnupg subdr
> portion. Of course, if one wants to change that seperately from
> libexecdir, it can be done by passing pkglibexecdir to make:
>
> make pkglibexecdir=/usr/anydir/gpg
I think this is a good idea. I don't want to mess about with the
build this close to the 1.4.1 release, but I will revisit this for
1.4.2.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : /pipermail/attachments/20050216/a2c9f4e5/attachment-0001.pgp
From jharris at widomaker.com Thu Feb 17 05:55:35 2005
From: jharris at widomaker.com (Jason Harris)
Date: Thu Feb 17 05:51:48 2005
Subject: subkeys problem
In-Reply-To: <20050217011358.GW82728@caffreys.strugglers.net>
References: <20050216222338.GR82728@caffreys.strugglers.net>
<20050217003428.GF1184@wilma.widomaker.com>
<20050217011358.GW82728@caffreys.strugglers.net>
Message-ID: <20050217045535.GG1184@wilma.widomaker.com>
On Thu, Feb 17, 2005 at 01:13:58AM +0000, Andy Smith wrote:
> On Wed, Feb 16, 2005 at 07:34:28PM -0500, Jason Harris wrote:
> > Your key on the SKS servers has a lot of subkey signatures
> > misplaced on userids:
> How should I go about cleaning that up?
One would have to modify SKS. But the LDAP keyservers (at least
the older ones) have the same problem.
> > sub 4096g/788FA859 2002-07-25 [subkey, revoked?]
> > Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859
> Thanks for that - what would you suggest I do to clean it up a bit
> though? 0x788FA859 isn't even in my current key and I have no way
> to remove information from key servers, right?
Right. GPG doesn't import it, so it shouldn't be a problem. However,
if you did create that subkey and can find it in a backup somewhere,
you should be able to revoke it or begin using it, and/or decrypt any
data previously encrypted to it.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050216/76e19c51/attachment.pgp
From shavital at mac.com Thu Feb 17 07:36:06 2005
From: shavital at mac.com (Charly Avital)
Date: Thu Feb 17 07:32:35 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217031824.GA24720@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
Message-ID: <89b8ae1cbf0fc4a9ee9dd426892aa737@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Feb 16, 2005, at 10:18 PM, David Shaw wrote:
> Hi!
>
> We are pleased to announce the availability of a the second release
> candidate for the forthcoming 1.4.1 version of GnuPG:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2
> (2.7M)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig
> [...]
Compiled with idea.c for Mac OS X 10.3.8.
Running fine.
Thanks.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (Darwin)
Comment: GnuPG for Privacy
iD8DBQFCFDti8SG5rMkbCF4RAhYAAKDKxB8Ik6oScyd7Bpkg+CnHR77jZACfWgpk
MhMNNv07hMW6GMIZGIOZifo=
=gfwk
-----END PGP SIGNATURE-----
From atom at smasher.org Wed Feb 16 21:56:25 2005
From: atom at smasher.org (Atom Smasher)
Date: Thu Feb 17 07:51:23 2005
Subject: SHA-1 break - in perspective
Message-ID: <20050216205449.90659.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
this should help put the (alleged until proven otherwise) SHA-1 break into
perspective. thanks to Sascha Kiefer for giving me the idea.
let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!
OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.
again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"IDEA's key length is 128 bits - over twice as long as DES.
Assuming that a brute force attack is the most efficient,
it would require 2^128 (10^38) encryptions to recover the
key. Design a chip that can test a billion keys per
second an throw a billion of the them at the problem,
and it will still take 10^13 years - that's longer than
the age of the universe. An array of 10^24 such chips can
find the key in a day, but there aren't enough silicon
atoms in the universe to build such a machine. Now we're
getting somewhere - although I'd keep my eye on the dark
matter debate."
-- Bruce Schneier, Applied Cryptography
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCE7N+AAoJEAx/d+cTpVciBIMH/2XFTi0DMGuhXrwCEvmXvxIN
of+aZbdO/vJgDWVR5u7amHOEKf0EBtzhgUxgpFbrGybx26JCx1zL40BfxXxZb6LH
AxJhHvCqtZ/XSqQIXBU0fMT9/sicWV/f8sHvlOWCWGCKRdmus0tMSODW9T8vdWaT
jrTXvOqnFx2fUKsZiyjwPQQYw9kln7m/MRpon6SiPxmjZFoUWlap/c1OnqjVwpUR
xKwczYBZmQdozR24G/pWfVCkbleYcvkPHu/EcV22x9UEiUyHseBxRVgoV0NAV9Ln
tzdbBeMPBTUyuCVFlZGXqdMA1+cevpxSt4WsJt8yX+h2VtSzwq2YMqFsA9xeVpg=
=I/9u
-----END PGP SIGNATURE-----
From wk at gnupg.org Thu Feb 17 08:16:56 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 17 08:16:05 2005
Subject: SHA1 broken?
In-Reply-To: <20050216200506.GE1184@wilma.widomaker.com> (Jason Harris's
message of "Wed, 16 Feb 2005 15:05:07 -0500")
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
<20050216171915.81275.qmail@smasher.org>
<87psz0z5yr.fsf@wheatstone.g10code.de>
<20050216200506.GE1184@wilma.widomaker.com>
Message-ID: <87y8dnwt93.fsf@wheatstone.g10code.de>
On Wed, 16 Feb 2005 15:05:07 -0500, Jason Harris said:
> The key creation time can be varied at will, and, I presume, v4 RSA
That's true. However as long as we don't know how to calculate such a
block (and I just guessed that it is similar to the MD5 attack - which
is not necessary true) we don't know whether 4 bytes at a fixed offset
are sufficient.
> key material can be too, a la v3 "vanity" keyids. But, is duplicating
No, they are not vulnerable like v3 keyids.
> While two v4 keys with the same fingerprint could "steal" userid
> certifications made by others, any signatures produced by the
> colliding keys, including selfsigs on their userids, can _not_
They world harm the WoT or any other method of checking the identity
of a key because you usually compare the fingerprints out of band.
Salam-Shalom,
Werner
From wk at gnupg.org Thu Feb 17 08:20:25 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 17 08:21:05 2005
Subject: SHA1 broken?
In-Reply-To: <200502161959.UAA00501@vulcan.xs4all.nl> (Johan Wevers's
message of "Wed, 16 Feb 2005 20:59:04 +0100 (MET)")
References: <200502161959.UAA00501@vulcan.xs4all.nl>
Message-ID: <87u0obwt3a.fsf@wheatstone.g10code.de>
On Wed, 16 Feb 2005 20:59:04 +0100 (MET), Johan Wevers said:
> That would be a more flexible approach than hardwiring a new hashalgo each
> time the previous one was broken. Perhaps a reason to re-add the 1.0 way
> of adding encryption and hash functions as dynamic loadable modules to the
> main program?
The problem is not the software but the protocol. You can't have
dynamically loadable sections for an RFC. That would contradict the
very reason of having a standard.
Shalom-Salam,
Werner
From sk at intertivity.com Thu Feb 17 09:26:32 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Thu Feb 17 09:22:35 2005
Subject: SHA-1 break - in perspective
In-Reply-To: <20050216205449.90659.qmail@smasher.org>
Message-ID: <002501c514ca$6370bfd0$f300a8c0@HOME>
Funny it's the same calculation i had last night before i went to bed!
So long.
Sascha
16. Februar 2005 21:56, Atom Smasher wrote:
> To: recipient list not shown:
> Subject: SHA-1 break - in perspective
>
> this should help put the (alleged until proven otherwise)
> SHA-1 break into
> perspective. thanks to Sascha Kiefer for giving me the idea.
>
> let's say that unbroken SHA-1 represents a 100 meter (328 ft)
> wall. if a
> break allows a collision to be found in merely 2^69 operations (on
> average), that would mean the wall has crumbled to 4.9 cm
> (1.9 in) tall.
> that's broken!!
>
> OTOH, let's say that unbroken MD5 represents a 100 meter (328
> ft) wall.
> comparing unbroken MD5 to broken SHA-1 means the wall would
> actually grow
> from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall.
> SHA-1, even if
> it's broken enough to find a collision in 2^69 operations (on
> average), is
> still stronger than MD5 was ever meant to be.
>
> again, using unbroken MD5 as our reference of a 100 meter
> (328 ft) wall,
> unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
> intended to be incredibly stronger than MD5.
From og at pre-secure.de Thu Feb 17 11:39:55 2005
From: og at pre-secure.de (Olaf Gellert)
Date: Thu Feb 17 11:39:34 2005
Subject: Newsgroup signing error
In-Reply-To:
References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com>
Message-ID: <4214747B.1010400@pre-secure.de>
I do not know what all the others observe with your
signature. This is what my enigmail says:
UNTRUSTED Good signature from Jason Barnett , Key Id 0x74D2856A
So obviously enigmail is able to verify your
signature (only that your key is not trusted
by GPG, but the signatrue is alright).
I use Mozilla 1.7.3 and Enigmail 0.85.0.0
I attached a screenshot so you can see how the
email should look like. Maybe some others do have
difficulties verifying signatures? Or some
crappy mail transfer agent doing some changes
to the mail (like converting encodings, newlines,
...)?
Olaf
Jason Barnett wrote:
> Jason Barnett wrote:
>
>>I would assume that a gpg.user newsgroup would be able to handle gpg
>>signed messages correctly so hopefully this message will sign correctly.
>> Then again I've been wrong about other things in the past. ;)
>
> ...
>
> I suppose it would be a better test if I had actually signed my
> message
>
>>>Promote security and make money with the Hushmail Affiliate Program:
>>>http://www.hushmail.com/about-affiliate?l=427
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>Gnupg-users mailing list
>>>Gnupg-users@gnupg.org
>>>http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signed.png
Type: image/png
Size: 15101 bytes
Desc: not available
Url : /pipermail/attachments/20050217/a0f0e8a1/signed-0001.png
From sk at intertivity.com Thu Feb 17 15:18:00 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 17 16:00:00 2005
Subject: Extracting UserAttribute (photo)
Message-ID: <4214A798.6080607@intertivity.com>
David Shaw wrote
>
> photo-viewer "cat > ~/photoid-for-key-%k.%t"
What is the syntax of the photo-viewer parameter?
i tried the following:
gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit mustermann
showphoto quit
and gpg says:
gpg: this platform requires temporary files when calling external programs
gpg: unable to display photo ID!
As you can see i'm running it on a windows system!
Thanks!
From sk at intertivity.com Thu Feb 17 16:19:48 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 17 16:16:07 2005
Subject: Extracting UserAttribute (photo)
In-Reply-To: <4214A798.6080607@intertivity.com>
References: <4214A798.6080607@intertivity.com>
Message-ID: <4214B614.5010403@intertivity.com>
i found it myself:
photo-viewer "C:\Path\Of\Viewer\viewer.exe %I" :)
Sascha Kiefer schrieb:
> David Shaw wrote
> >
> > photo-viewer "cat > ~/photoid-for-key-%k.%t"
>
> What is the syntax of the photo-viewer parameter?
> i tried the following:
>
> gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit
> mustermann showphoto quit
>
> and gpg says:
> gpg: this platform requires temporary files when calling external
> programs
> gpg: unable to display photo ID!
>
> As you can see i'm running it on a windows system!
>
> Thanks!
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
From dshaw at jabberwocky.com Thu Feb 17 16:18:59 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 16:53:24 2005
Subject: Extracting UserAttribute (photo)
In-Reply-To: <4214A798.6080607@intertivity.com>
References: <4214A798.6080607@intertivity.com>
Message-ID: <20050217151859.GA10243@jabberwocky.com>
On Thu, Feb 17, 2005 at 03:18:00PM +0100, Sascha Kiefer wrote:
> David Shaw wrote
> >
> > photo-viewer "cat > ~/photoid-for-key-%k.%t"
>
> What is the syntax of the photo-viewer parameter?
> i tried the following:
>
> gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit mustermann
> showphoto quit
>
> and gpg says:
> gpg: this platform requires temporary files when calling external programs
> gpg: unable to display photo ID!
>
> As you can see i'm running it on a windows system!
Try something like
gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe %i" --edit mustermann
The %-escapes are:
%i is expanded to a temporary file that contains the photo.
%I is the same as %i, but the file isn't deleted afterwards by GnuPG.
%k is expanded to the key ID of the key.
%K is expanded to the long OpenPGP key ID of the key.
%t is expanded to the extension of the image (e.g. "jpg").
%T is expanded to the MIME type of the image (e.g. "image/jpeg").
%f is expanded to the fingerprint of the key.
%% is %, of course.
David
From swright at physics.adelaide.edu.au Thu Feb 17 17:11:48 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Thu Feb 17 17:08:33 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217031824.GA24720@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
Message-ID: <20050217161148.GA13878@anl.gov>
G'day David,
* David Shaw [050216 21:24]:
> We are pleased to announce the availability of a the second release
> candidate for the forthcoming 1.4.1 version of GnuPG:
Um... it appears that there was no update of the gnupg.spec file to
the one that we iterated to over the last week.
The FC2 build of the RPM fails and more importantly it looks like the
gpgkeys_* programs will still be installed incorrectly.
rc3 here we come! ;-)
Cheers,
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050217/01b7bff7/attachment.pgp
From sk at intertivity.com Thu Feb 17 17:26:03 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 17 17:22:12 2005
Subject: Multiple signing
Message-ID: <4214C59B.5040406@intertivity.com>
Is it feasible to sign something with more than one key?
And if yes, how is it done? By calling "gpg --sign" n-times using the
option default-key? Or is there multiple sign option?
Thanks.
--sk
From dshaw at jabberwocky.com Thu Feb 17 17:19:22 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 17:50:51 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217161148.GA13878@anl.gov>
References: <20050217031824.GA24720@jabberwocky.com>
<20050217161148.GA13878@anl.gov>
Message-ID: <20050217161922.GB10243@jabberwocky.com>
On Thu, Feb 17, 2005 at 10:11:48AM -0600, Stewart V. Wright wrote:
> G'day David,
>
> * David Shaw [050216 21:24]:
> > We are pleased to announce the availability of a the second release
> > candidate for the forthcoming 1.4.1 version of GnuPG:
>
> Um... it appears that there was no update of the gnupg.spec file to
> the one that we iterated to over the last week.
No, the new spec is in CVS, but I checked it in just after Werner
built 1.4.1rc2. No worries, it will be in 1.4.1.
David
From linux at codehelp.co.uk Thu Feb 17 18:07:05 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Thu Feb 17 18:03:12 2005
Subject: Multiple signing
In-Reply-To: <4214C59B.5040406@intertivity.com>
References: <4214C59B.5040406@intertivity.com>
Message-ID: <200502171707.06149.linux@codehelp.co.uk>
On Thursday 17 February 2005 4:26 pm, Sascha Kiefer wrote:
> Is it feasible to sign something with more than one key?
$ gpg -u other_key
> And if yes, how is it done? By calling "gpg --sign" n-times using the
> option default-key? Or is there multiple sign option?
Not multiple sign, you simply change the user to the other key one at a time -
after all, different keys, different passphrases. Naturally, you need the
secret key for the other_key.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050217/bd2befee/attachment.pgp
From henkdebruijn at wanadoo.nl Thu Feb 17 18:18:37 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Thu Feb 17 18:15:25 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217031824.GA24720@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
Message-ID: <1822865182.20050217181837@wanadoo.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I
live), David Shaw wrote:
> We are pleased to announce the availability of a the second release
> candidate for the forthcoming 1.4.1 version of GnuPG:
> An installer for Windows is also available:
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe
> (1.4M)
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig
> Please try these versions out and report any problems.
Up and running but after gpg --version, it shows rc1???
- --
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
iD8DBQFCFNH6Egabk9vm5ngRAlNtAJ9DZqaMHDm8wjS/LlQGkze6eyLxSgCgkyfQ
SpkWatAn01yoNd5gQo6ovzU=
=BKMv
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Thu Feb 17 17:52:35 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 18:25:42 2005
Subject: Multiple signing
In-Reply-To: <4214C59B.5040406@intertivity.com>
References: <4214C59B.5040406@intertivity.com>
Message-ID: <20050217165235.GA10406@jabberwocky.com>
On Thu, Feb 17, 2005 at 05:26:03PM +0100, Sascha Kiefer wrote:
> Is it feasible to sign something with more than one key?
> And if yes, how is it done? By calling "gpg --sign" n-times using the
> option default-key? Or is there multiple sign option?
gpg -u key1 -u key2 -u key3 --sign foo.txt
David
From Freedom_Lover at pobox.com Thu Feb 17 18:36:34 2005
From: Freedom_Lover at pobox.com (Todd)
Date: Thu Feb 17 18:33:21 2005
Subject: [PATCH] gnupg.spec [WAS: unable to execute program
`gpgkeys_hkp': Permission denied]
In-Reply-To: <20050217034410.GG24504@jabberwocky.com>
References: <20050209210131.GE13440@anl.gov>
<20050209211832.GD13550@jabberwocky.com>
<20050209214834.GF13440@anl.gov>
<20050210033606.GC13965@jabberwocky.com>
<20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov>
<20050211202000.GD7710@anl.gov>
<20050212050506.GE22456@jabberwocky.com>
<20050214210800.GR4175@psilocybe.teonanacatl.org>
<20050217034410.GG24504@jabberwocky.com>
Message-ID: <20050217173634.GC26827@psilocybe.teonanacatl.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Shaw wrote:
> On Mon, Feb 14, 2005 at 04:08:00PM -0500, Todd wrote:
>
>> In doing so, it seems like a nicer way to solve this would be to
>> simply modify two automake files in gnupg to use pkglibexecdir instead
>> of libexecdir. The attached patch against CVS does this and worked
>> for me in my simple testing. It allows libexecdir to be set as one
>> would normally set it and not have to worry about the gnupg subdr
>> portion. Of course, if one wants to change that seperately from
>> libexecdir, it can be done by passing pkglibexecdir to make:
>>
>> make pkglibexecdir=/usr/anydir/gpg
>
> I think this is a good idea. I don't want to mess about with the
> build this close to the 1.4.1 release, but I will revisit this for
> 1.4.2.
Awwww, what's wrong with mucking around with .am files when a release
is imminent? What could possibly go awry? Hehehe.
Cool though. Hope it'll work out for 1.4.2 and make it a little
simpler to package GnuPG with various distro packaging tools.
Thanks again for all the work you guys do on GnuPG (yourself, Timo,
Werner, and any unnamed contributors of code)!
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Ah! Useless! Every one of you! Fine. I will defend myself and to
hell with all of you!
-- Stewie Griffin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iG0EARECAC0FAkIU1iImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rr/QCgkWqcErFUgY7O3kjiQ6uTlP5tLUwAnje8K4sF
3FgcK0iE9B5HeLSc34KH
=Xx4R
-----END PGP SIGNATURE-----
From sk at intertivity.com Thu Feb 17 19:22:44 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Thu Feb 17 19:18:48 2005
Subject: Multiple signing
In-Reply-To: <20050217165235.GA10406@jabberwocky.com>
Message-ID: <002201c5151d$acd767c0$f300a8c0@HOME>
Thanks!
> gpg -u key1 -u key2 -u key3 --sign foo.txt
From dshaw at jabberwocky.com Thu Feb 17 19:44:05 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 17 19:40:51 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <1822865182.20050217181837@wanadoo.nl>
References: <20050217031824.GA24720@jabberwocky.com>
<1822865182.20050217181837@wanadoo.nl>
Message-ID: <20050217184405.GA18817@jabberwocky.com>
On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote:
> On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I
> live), David Shaw wrote:
>
> > We are pleased to announce the availability of a the second release
> > candidate for the forthcoming 1.4.1 version of GnuPG:
>
> > An installer for Windows is also available:
>
> > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe
> > (1.4M)
> >
> > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig
>
> > Please try these versions out and report any problems.
>
> Up and running but after gpg --version, it shows rc1???
On Win32 or Unix? It certainly says rc2 on Unix.
David
From henkdebruijn at wanadoo.nl Thu Feb 17 21:04:05 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Thu Feb 17 21:00:10 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217184405.GA18817@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
<1822865182.20050217181837@wanadoo.nl>
<20050217184405.GA18817@jabberwocky.com>
Message-ID: <2367620.20050217210405@wanadoo.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote:
>> Up and running but after gpg --version, it shows rc1???
> On Win32 or Unix? It certainly says rc2 on Unix.
On Win32
- --
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
iD8DBQFCFPi2Egabk9vm5ngRAqrNAJ9PNwcOfISU2nIfwZvSSxJzt+mligCeMt4d
aV6VZ70Zt839Fgo++vQ5FNY=
=7baU
-----END PGP SIGNATURE-----
From henkdebruijn at wanadoo.nl Thu Feb 17 21:20:44 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Thu Feb 17 21:16:53 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217184405.GA18817@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
<1822865182.20050217181837@wanadoo.nl>
<20050217184405.GA18817@jabberwocky.com>
Message-ID: <1905164793.20050217212044@wanadoo.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 17 Feb 2005 13:44:05 -0500GMT (17-2-2005, 19:44 +0100, where I
live), David Shaw wrote:
> On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote:
>> On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I
>> live), David Shaw wrote:
>>
>> > We are pleased to announce the availability of a the second release
>> > candidate for the forthcoming 1.4.1 version of GnuPG:
>>
>> > An installer for Windows is also available:
>>
>> > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe
>> > (1.4M)
>> >
>> >
>> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig
>>
>> > Please try these versions out and report any problems.
>>
>> Up and running but after gpg --version, it shows rc1???
> On Win32 or Unix? It certainly says rc2 on Unix.
I noticed at the end of my message:
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
But still as I wrote after: gpg -- version it says rc1
- --
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
iD4DBQFCFPydEgabk9vm5ngRApkcAKDwL+D8fYMQSm7S4+h4UtM/0B5q2wCXSv4T
BIUGoW5L92Ycm4qXLmYRRA==
=zRw0
-----END PGP SIGNATURE-----
From mads at warhead.org.uk Thu Feb 17 21:46:05 2005
From: mads at warhead.org.uk (Mads Munch Hansen)
Date: Thu Feb 17 21:42:47 2005
Subject: Backup with encryption
In-Reply-To: <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com>
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com>
<421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com>
Message-ID:
Dany Nativel wrote:
> What about Duplicity ?
>
> http://www.nongnu.org/duplicity/
>
> Dany
>
>
> Mads Munch Hansen wrote:
>
>> That would mean he would have to input a passphrase everytime he does a
>> backups, or make a script that does it for him, which could be a
>> potential security risk. By using a public key, the backups can be done
>> unatended with no risk of passphrase being compromised if the script(s)
>> are. (it would be a good idea nontheless to keep the secret key on
>> another system though)
>>
>> Regards
>> Mads
From what I (causually) read on the site I coulden't determine weather
it used symetric encrytpion or not.. Are you familiar with it?
- Mads
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050217/fd8ce70b/signature.pgp
From jharris at widomaker.com Thu Feb 17 22:05:56 2005
From: jharris at widomaker.com (Jason Harris)
Date: Thu Feb 17 22:02:08 2005
Subject: SHA1 broken?
In-Reply-To: <87y8dnwt93.fsf@wheatstone.g10code.de>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
<20050216171915.81275.qmail@smasher.org>
<87psz0z5yr.fsf@wheatstone.g10code.de>
<20050216200506.GE1184@wilma.widomaker.com>
<87y8dnwt93.fsf@wheatstone.g10code.de>
Message-ID: <20050217210556.GJ1184@wilma.widomaker.com>
On Thu, Feb 17, 2005 at 08:16:56AM +0100, Werner Koch wrote:
> On Wed, 16 Feb 2005 15:05:07 -0500, Jason Harris said:
> > The key creation time can be varied at will, and, I presume, v4 RSA
>
> That's true. However as long as we don't know how to calculate such a
> block (and I just guessed that it is similar to the MD5 attack - which
> is not necessary true) we don't know whether 4 bytes at a fixed offset
> are sufficient.
>
> > key material can be too, a la v3 "vanity" keyids. But, is duplicating
>
> No, they are not vulnerable like v3 keyids.
If RSA key material can be successfully manipulated to produce a
desired result in a v3 key, why can't it also be manipulated in
a v4 key? Granted, the desired result is a SHA-1 collision, but
being able to modify key material opens up most of a v4 pubkey
packet to manipulation.
> > While two v4 keys with the same fingerprint could "steal" userid
> > certifications made by others, any signatures produced by the
> > colliding keys, including selfsigs on their userids, can _not_
>
> They world harm the WoT or any other method of checking the identity
> of a key because you usually compare the fingerprints out of band.
Of course. However, if the key creation time, type, and number of
bits are checked, they may be found to be different among keys with
identical fingerprints. If not, we will have to "pgpdump -i" them
to detect changes in the key material. Either way, each key with a
colliding fingerprint can be placed in a keyring individually and
used to check signatures purportedly from the key. If any of the
key material - not just timestamps - varies among the keys, one
should be able to isolate the key that actually made the valid
signature (or, if you prefer, makes the signature valid).
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050217/ea26ed00/attachment.pgp
From dany_list at natzo.com Thu Feb 17 22:26:09 2005
From: dany_list at natzo.com (Dany Nativel)
Date: Thu Feb 17 22:22:17 2005
Subject: Backup with encryption
In-Reply-To:
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com>
Message-ID: <42150BF1.503@natzo.com>
According to the man page, you can choose the one you like :
*
--encrypt-key */key/
When backing up, encrypt to the given public key, instead of using
symmetric (traditional) encryption. Can be specified multiple times.
BTW, I use rdiff-backup (http://www.nongnu.org/rdiff-backup/) which
doesn't offer any encrytpion but provides a very efficient way to
perform incremental backups.
Cheers
Dany
Mads Munch Hansen wrote:
> Dany Nativel wrote:
>
>> What about Duplicity ?
>>
>> http://www.nongnu.org/duplicity/
>>
>> Dany
>>
>>
>> Mads Munch Hansen wrote:
>>
>>> That would mean he would have to input a passphrase everytime he does a
>>> backups, or make a script that does it for him, which could be a
>>> potential security risk. By using a public key, the backups can be done
>>> unatended with no risk of passphrase being compromised if the script(s)
>>> are. (it would be a good idea nontheless to keep the secret key on
>>> another system though)
>>>
>>> Regards
>>> Mads
>>
>
>
> From what I (causually) read on the site I coulden't determine weather
> it used symetric encrytpion or not.. Are you familiar with it?
>
> - Mads
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
From erwan at rail.eu.org Thu Feb 17 22:38:52 2005
From: erwan at rail.eu.org (Erwan David)
Date: Thu Feb 17 22:34:57 2005
Subject: Backup with encryption
In-Reply-To: <42150BF1.503@natzo.com>
References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com>
<21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com>
<421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com>
<42150BF1.503@natzo.com>
Message-ID: <20050217213852.GC11656@ratagaz.depot.rail.eu.org>
Le Thu 17/02/2005, Dany Nativel disait
>
> According to the man page, you can choose the one you like :
> *
> --encrypt-key */key/
> When backing up, encrypt to the given public key, instead of using
> symmetric (traditional) encryption. Can be specified multiple times.
>
> BTW, I use rdiff-backup (http://www.nongnu.org/rdiff-backup/) which
> doesn't offer any encrytpion but provides a very efficient way to
> perform incremental backups.
I use tar f -|gpg for my backups. And I encrypt with my public key. My private key
is stored on a USB key for security.
--
Erwan
From greg at turnstep.com Fri Feb 18 00:50:50 2005
From: greg at turnstep.com (Greg Sabino Mullane)
Date: Fri Feb 18 00:47:32 2005
Subject: Backup with encryption
In-Reply-To:
Message-ID: <837f63a836715c1f158db58dfdc294b4@biglumber.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mads wrote:
> Greg Sabino Mullane wrote:
> ..
>> gpg -ca yourfile
> ..
>> The only thing you have to worry about then is forgetting the password.
>
> That would mean he would have to input a passphrase everytime he does a
> backups, or make a script that does it for him, which could be a
> potential security risk.
Sure, but if you have access to the script and the password, you also
more than likely have access to the unencrypted files you are backing up,
so the additional risk is not really there. A possibly better "best of both
worlds" way is to simply create a private/public keypair just for the
backups, handled with different security requirements than your personal
key.
- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200502171850
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
iD8DBQFCFS5bvJuQZxSWSsgRAkxuAJ98qK/cZ+Yx/F6Si+L0Vr41HUZcZQCcCBpx
0MK+cPZxZYxiVDwa1rltpZM=
=T0/H
-----END PGP SIGNATURE-----
From erwan at rail.eu.org Fri Feb 18 01:27:57 2005
From: erwan at rail.eu.org (Erwan David)
Date: Fri Feb 18 01:24:07 2005
Subject: Backup with encryption
In-Reply-To: <837f63a836715c1f158db58dfdc294b4@biglumber.com>
References:
<837f63a836715c1f158db58dfdc294b4@biglumber.com>
Message-ID: <20050218002757.GC12235@ratagaz.depot.rail.eu.org>
Le Thu 17/02/2005, Greg Sabino Mullane disait
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Mads wrote:
> > Greg Sabino Mullane wrote:
> > ..
> >> gpg -ca yourfile
> > ..
> >> The only thing you have to worry about then is forgetting the password.
> >
> > That would mean he would have to input a passphrase everytime he does a
> > backups, or make a script that does it for him, which could be a
> > potential security risk.
>
> Sure, but if you have access to the script and the password, you also
> more than likely have access to the unencrypted files you are backing up,
> so the additional risk is not really there. A possibly better "best of both
> worlds" way is to simply create a private/public keypair just for the
> backups, handled with different security requirements than your personal
> key.
for backup you only need the public key, so no problem to let a script use it.
I doubt you do unattented recovery, so you can handle your private key as usual
in this case.
--
Erwan
From henkdebruijn at wanadoo.nl Fri Feb 18 04:20:04 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Fri Feb 18 04:16:21 2005
Subject: [Announce] Second release candidate for 1.4.1 available
In-Reply-To: <20050217184405.GA18817@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
<1822865182.20050217181837@wanadoo.nl>
<20050217184405.GA18817@jabberwocky.com>
Message-ID: <1208545917.20050218042004@wanadoo.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 17 Feb 2005 13:44:05 -0500GMT (17-2-2005, 19:44 +0100, where I
live), David Shaw wrote:
> On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote:
>> Up and running but after gpg --version, it shows rc1???
> On Win32 or Unix? It certainly says rc2 on Unix.
Checked again and found two versions of gpg.exe, solved that and I
think it is now ok.
- --
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
iD8DBQFCFV7tEgabk9vm5ngRAnygAKCOkootlzFRIE0sw4Q5dIngZLncvwCg6b5H
u3va+dhuczWV1cGZ7QNvjls=
=82y9
-----END PGP SIGNATURE-----
From texmex at uni.de Fri Feb 18 14:29:41 2005
From: texmex at uni.de (Gregor Zattler)
Date: Fri Feb 18 14:26:23 2005
Subject: Second release candidate for 1.4.1 available
In-Reply-To: <20050217031824.GA24720@jabberwocky.com>
References: <20050217031824.GA24720@jabberwocky.com>
Message-ID: <20050218132941.GH31904@pit.ID-43118.user.dfncis.de>
Hi David,
* David Shaw [16. Feb. 2005]:
> Hi!
>
> We are pleased to announce the availability of a the second release
> candidate for the forthcoming 1.4.1 version of GnuPG:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2 (2.7M)
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig
> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1-1.4.1rc2.diff.bz2 (338K)
>
> An installer for Windows is also available:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe (1.4M)
> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig
The problem I reported in
<20050203143651.GD19332@pit.ID-43118.user.dfncis.de> does not
occour in rc2.
The dialog for language selection opens with an empty selection
but it's possible to select a language from the list.
Thanks.
From texmex at uni.de Fri Feb 18 15:06:22 2005
From: texmex at uni.de (Gregor Zattler)
Date: Fri Feb 18 15:03:05 2005
Subject: RSA signing keys (was: Re: SHA1 broken?)
In-Reply-To: <20050216144419.GC21336@jabberwocky.com>
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
Message-ID: <20050218140622.GL31904@pit.ID-43118.user.dfncis.de>
Hi David,
* David Shaw [16. Feb. 2005]:
> In terms of GnuPG: it's up to you whether you want to switch hashes or
> not. GnuPG supports all of the SHA-2 hashes, so they are at least
> available. Be careful you don't run up against compatibility
> problems: PGP doesn't support 384 or 512, and only recently started
> supporting 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of
> the new hashes. Finally, if you have a DSA signing key (most people
> do) you are required to use either SHA-1 or RIPEMD/160. RSA signing
> keys can use any hash.
Do you advise to use RSA signing keys with gnupg 1.4.1? Will the
default key type change?
Gregor
From wk at gnupg.org Fri Feb 18 16:01:46 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 18 16:01:07 2005
Subject: SHA1 broken?
In-Reply-To: <20050217210556.GJ1184@wilma.widomaker.com> (Jason Harris's
message of "Thu, 17 Feb 2005 16:05:56 -0500")
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050216161147.43569.qmail@smasher.org>
<20050216165609.GB23828@jabberwocky.com>
<20050216171915.81275.qmail@smasher.org>
<87psz0z5yr.fsf@wheatstone.g10code.de>
<20050216200506.GE1184@wilma.widomaker.com>
<87y8dnwt93.fsf@wheatstone.g10code.de>
<20050217210556.GJ1184@wilma.widomaker.com>
Message-ID: <87sm3tdi91.fsf@wheatstone.g10code.de>
On Thu, 17 Feb 2005 16:05:56 -0500, Jason Harris said:
> If RSA key material can be successfully manipulated to produce a
> desired result in a v3 key, why can't it also be manipulated in
> a v4 key? Granted, the desired result is a SHA-1 collision, but
Because the v4 format fixes the flaw with the length of the parameters
and the way the fingerprint and keyid is calculated.
> Of course. However, if the key creation time, type, and number of
> bits are checked, they may be found to be different among keys with
Well that means to reintroduce the requirement for that checking for
v4 keys again. For a different reason of course. And well, with the
SHA-1 weakness you still won't be able to find a second preimage for a
given key.
Salam-Shalom,
Werner
From wk at gnupg.org Fri Feb 18 16:18:44 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 18 16:15:59 2005
Subject: RSA signing keys
In-Reply-To: <20050218140622.GL31904@pit.ID-43118.user.dfncis.de> (Gregor
Zattler's message of "Fri, 18 Feb 2005 15:06:22 +0100")
References: <1108543709.5827.1.camel@localhost.localdomain>
<20050216144419.GC21336@jabberwocky.com>
<20050218140622.GL31904@pit.ID-43118.user.dfncis.de>
Message-ID: <87k6p5dhgr.fsf@wheatstone.g10code.de>
On Fri, 18 Feb 2005 15:06:22 +0100, Gregor Zattler said:
> Do you advise to use RSA signing keys with gnupg 1.4.1? Will the
> default key type change?
No. DSS is the default signing algorithm and a MUST for all OpenPGP
applications; thus it is suggested to do that. Not all OpenPGP
applications are able to handle RSA signed messages.
And now please repeat all:
The security of a system is limited by its weakest link!
Does anyone really believe that a collission attack (i.e. a method to
produce 2 different text with the same hash value) is a danger?
I am 100% sure that there are more severe bugs in GnuPG or other
software used during the build and its use that are far easier to
exploit than a 2^69 workload with incredibale amounts of required
storage. Let alone rubber hose attacks and blackmailing.
Shalom-Salam,
Werner
From quillo1978 at gmail.com Fri Feb 18 17:55:34 2005
From: quillo1978 at gmail.com (Quillo)
Date: Fri Feb 18 18:43:07 2005
Subject: general question about gnupg
Message-ID: <1108745734.3777.157.camel@localhost.localdomain>
Hi all,
I'm a beginner in these encryption and security issues and, while with
all the available documentation most of my user questions are solved,
but I'm looking for something (I don't know if) not very common and I
don't really know what should I look for.
I have a server which, due to database events, sends automatically
emails with some info. I would like that these emails are sent GPG/PGP
signed (not encrypted), what kind of software should I look for? The
servers (both database and smtp) are running windows and the emails are
generated with ASPmail. Any clues would be very appreciated.
Thanks a lot
Angel
From sk at intertivity.com Fri Feb 18 19:25:33 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Fri Feb 18 19:21:51 2005
Subject: general question about gnupg
In-Reply-To: <1108745734.3777.157.camel@localhost.localdomain>
Message-ID: <000801c515e7$3c41c8a0$f300a8c0@HOME>
Hi,
The company i work for is providing such software.
Please go to https://www.ams.lu and look for eCrypt!
esskar
> -----Original Message-----
> From: gnupg-users-bounces@gnupg.org
> [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Quillo
> Sent: Freitag, 18. Februar 2005 17:56
> To: gnupg-users@gnupg.org
> Subject: general question about gnupg
>
>
>
> Hi all,
>
> I'm a beginner in these encryption and security issues and,
> while with all the available documentation most of my user
> questions are solved, but I'm looking for something (I don't
> know if) not very common and I don't really know what should
> I look for.
>
> I have a server which, due to database events, sends
> automatically emails with some info. I would like that these
> emails are sent GPG/PGP signed (not encrypted), what kind of
> software should I look for? The servers (both database and
> smtp) are running windows and the emails are generated with
> ASPmail. Any clues would be very appreciated.
>
> Thanks a lot
>
> Angel
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From amilivojevic at pbl.ca Fri Feb 18 19:17:18 2005
From: amilivojevic at pbl.ca (Aleksandar Milivojevic)
Date: Fri Feb 18 19:50:16 2005
Subject: SHA1 broken?
In-Reply-To: <000901c51442$44274af0$f300a8c0@HOME>
References: <000901c51442$44274af0$f300a8c0@HOME>
Message-ID: <4216312E.5070608@pbl.ca>
Kiefer, Sascha wrote:
> Not really true.
> If your wall is 100 meters (i dont how to calculate in foot) high,
> and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters
> high. Which is actually a big difference. But it's that it is still higher
> than the MD5 wall. :)
Sascha, North Americans don't dig really well into prefixes of metric
system. An example is that I always ask for 200 grams of mortadela in
local stores. Asking for 20 dekagrams (as I would do back home in
Europe) is beyond conversion abilities of average North American. And
this is in Canada where metric system is officialy in use. I can only
imagine how bad the things are south of the border. So, to put things
in perspective, 100 meter (328 feet) wall becomes 0.05 meter (aprox. 1
31/32 inch) wall.
--
Aleksandar Milivojevic Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
From johanw at vulcan.xs4all.nl Fri Feb 18 22:30:57 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri Feb 18 22:27:04 2005
Subject: SHA1 broken?
In-Reply-To: <4216312E.5070608@pbl.ca> from Aleksandar Milivojevic at "Feb 18,
2005 12:17:18 pm"
Message-ID: <200502182130.WAA00455@vulcan.xs4all.nl>
Aleksandar Milivojevic wrote:
>local stores. Asking for 20 dekagrams (as I would do back home in
>Europe)
I never realised that the prefix "deca" was used in practise at all.
I've always learned it to be a prefix that exists only formally.
What country are you from?
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From ajgpgml at tesla.inka.de Sat Feb 19 19:34:47 2005
From: ajgpgml at tesla.inka.de (Andreas John)
Date: Sat Feb 19 20:12:24 2005
Subject: Problem: Charsets in 1.4.1rc2
References: <20050217031824.GA24720@jabberwocky.com>
Message-ID: <002801c516b1$bddfa420$bad855d9@tesla>
Hi!
The charsets are handled very good (thanks to iconv.dll), but unfortunately it seems like copepage-issues with system-strings aren't taken into account:
In the win98-console (CP850) I'll type "gpg test.txt.asc" to verify a test-signature:
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
Datei 'x.txt' existiert bereits. Overwrite? (y/N) y
gpg: Signature made 02/19/05 19:25:15 (MEZ) Mitteleurop?ische Zeit using RSA key ID A5FF6560
gpg: Good signature from "test ?????? "
Note the time-string: It should read "Mitteleurop?ische Zeit" (the UserID displays the right umlauts as expected).
Bye!
From dany_list at natzo.com Sun Feb 20 01:19:49 2005
From: dany_list at natzo.com (Dany Nativel)
Date: Sun Feb 20 01:16:01 2005
Subject: Advice for Web of Trust policy
Message-ID: <4217D7A5.4050106@natzo.com>
Hello,
I've been playing around with the OpenPGP card and I'm now ready to go
live. I'd like to get into the web of trust but I don't know which way
to go :
1) Like most GnuPG users, dedicated off-line signing key for signing
other people's keys and my subkeys
pros :
- not connected... that says all!
cons:
- doesn't prevent from keyboard logger (passphrase)
- signing key can be physically duplicated (brute force attack possible)
2) OpenPGP card for both signing and encrypting
pros :
- One card for both web of trust and everyday's encryption/signing
- Not easy to duplicate key's secret material (but not impossible though ;))
- No complex passphrase to rememeber + automatic lock-down after 3 attempts
- Easier to use with services like biglumber.com because the signing key
is linked to an email address and also has an encryption subkey. Some
people will only give you a cert level 2 if the key is only a signing key.
cons:
- Card is going to be used on a machine connected to the Internet.
How is my policy (single OpenPGP card for everything) going to be
accepted by the community ?
Is this going to be seen as a threat to the web of trust ?
Maybe I can get the advantage of 1) by only signing other people's keys
with OpenPGP SmartCard, a LiveCD and no network)
Thanks for your feedback
Best regards
Dany
From jharris at widomaker.com Mon Feb 21 05:11:19 2005
From: jharris at widomaker.com (Jason Harris)
Date: Mon Feb 21 05:07:44 2005
Subject: new (2005-02-20) keyanalyze results (+sigcheck)
Message-ID: <20050221041118.GK1184@wilma.widomaker.com>
New keyanalyze results are available at:
http://keyserver.kjsl.com/~jharris/ka/2005-02-20/
Signatures are now being checked using keyanalyze+sigcheck:
http://dtype.org/~aaronl/
Earlier reports are also available, for comparison:
http://keyserver.kjsl.com/~jharris/ka/
Even earlier monthly reports are at:
http://dtype.org/keyanalyze/
SHA-1 hashes and sizes for all the "permanent" files:
f1225de00d781e8085ece0582d1831c851fac5c3 11374632 preprocess.keys
f51610b0ce7c4a366815da4f7f3b2ca69d7fa0d8 7180829 othersets.txt
cd476b90cb529aa2ed8af209d17d150d50a59861 2881738 msd-sorted.txt
ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html
35d7a133eb27256452a8518f37531890ee861b79 2290 keyring_stats
bdbc375a04b7459e2ec00a604fdaa93e9c339e7c 1134193 msd-sorted.txt.bz2
7527d827043a2bca798ef07ae1b0b1e117e310d2 26 other.txt
b8f332cb8de8fb0df5e48d5071eb17128e4bc944 1544651 othersets.txt.bz2
04987163435d134ebba953a2749a857128e7e652 4598371 preprocess.keys.bz2
2f42b4d597ada29bdc9e92679978f18f6acc6a55 11488 status.txt
84502f71c3cf4c20418be9700a514bcefcbecc37 211626 top1000table.html
6bafd68aac66b0d195ffc7f1b45145740bfb28a9 30367 top1000table.html.gz
c7d0cb9f2b17c9bc94ace7d49a89d92454735ca7 10991 top50table.html
c491dc78d8d9a4192c33dc0097385ef842b6d57b 2369 D3/D39DA0E3
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050220/e615cb0e/attachment.pgp
From spifftraq at gmail.com Mon Feb 21 08:04:19 2005
From: spifftraq at gmail.com (Spiff Traq)
Date: Mon Feb 21 09:00:55 2005
Subject: SHA1 broken?
In-Reply-To: <200502182130.WAA00455@vulcan.xs4all.nl>
References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl>
Message-ID: <11e5220b05022023045379c373@mail.gmail.com>
> Aleksandar Milivojevic wrote:
> >local stores. Asking for 20 dekagrams (as I would do back home in
> >Europe)
> I never realised that the prefix "deca" was used in practise at all.
> I've always learned it to be a prefix that exists only formally.
> What country are you from?
Here in sweden we use it, we natives spell it 'hekto'
regards
J?rgen
From asmart at kingsdown.swindon.sch.uk Mon Feb 21 09:06:30 2005
From: asmart at kingsdown.swindon.sch.uk (Andy Smart)
Date: Mon Feb 21 09:44:26 2005
Subject: SHA1 broken?
In-Reply-To: <4216312E.5070608@pbl.ca>
References: <000901c51442$44274af0$f300a8c0@HOME> <4216312E.5070608@pbl.ca>
Message-ID: <42199686.6060604@kingsdown.swindon.sch.uk>
I once asked an American friend when the US was going to metricate - his
reply was "When Hell freezes over buddy"; as a result of 4 years in the
UK he was convinced metric was easier but said that he couldn't see any
reason for the US to change :-)
Aleksandar Milivojevic wrote:
> Kiefer, Sascha wrote:
>
>> Not really true.
>> If your wall is 100 meters (i dont how to calculate in foot) high,
>> and the ratio is 2^69 / 2^80 then your wall will be about 5
>> centimeters high. Which is actually a big difference. But it's that it
>> is still higher
>> than the MD5 wall. :)
>
>
> Sascha, North Americans don't dig really well into prefixes of metric
> system. An example is that I always ask for 200 grams of mortadela in
> local stores. Asking for 20 dekagrams (as I would do back home in
> Europe) is beyond conversion abilities of average North American. And
> this is in Canada where metric system is officialy in use. I can only
> imagine how bad the things are south of the border. So, to put things
> in perspective, 100 meter (328 feet) wall becomes 0.05 meter (aprox. 1
> 31/32 inch) wall.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asmart.vcf
Type: text/x-vcard
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20050221/746f1c18/asmart.vcf
From technojoecoolusa at charter.net Mon Feb 21 10:36:58 2005
From: technojoecoolusa at charter.net (Joseph D. Wagner)
Date: Mon Feb 21 11:11:59 2005
Subject: Unable to Sign Packages
Message-ID: <3rr3e8$i91lk3@mxip10a.cluster1.charter.net>
While attempting to sign an RPM package I created using the command:
rpm --addsign _packagename_
I got an error message saying the pass phrase is invalid.
I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command:
gpg --gen-key
and entered "123" as the passphrase.
No effect. I still get an error message that tells me the pass phrase is wrong. I know I'm typing "123" correctly, so what else could be set incorrectly that would give me this error message?
~/.rpmmacros is as follows:
%_signature gpg
%_gpg_path /home/joseph/.gnupg
%_gpg_name Joseph D. Wagner (For Use with Fedora Core 3)
TIA.
Joseph D. Wagner
From sk at intertivity.com Mon Feb 21 11:18:43 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Mon Feb 21 11:14:40 2005
Subject: SHA1 broken?
In-Reply-To: <87sm3tdi91.fsf@wheatstone.g10code.de>
Message-ID: <002701c517fe$b933f810$f300a8c0@HOME>
I just read that the PGP Corporation will advance to
SHA-256 and SHA-512 (http://www.pgp.com/news/sha1.html).
From martin.pfister at gmx.net Sat Feb 19 15:53:35 2005
From: martin.pfister at gmx.net (Martin Pfister)
Date: Mon Feb 21 11:21:25 2005
Subject: Outlook 2003 problem
Message-ID:
http://www.equipmente.de/viewtopic.php?t=642
Regards,
Martin
From kha at treskal.com Mon Feb 21 09:24:25 2005
From: kha at treskal.com (Karl =?iso-8859-1?Q?Hasselstr=F6m?=)
Date: Mon Feb 21 11:21:32 2005
Subject: SHA1 broken?
In-Reply-To: <11e5220b05022023045379c373@mail.gmail.com>
References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl>
<11e5220b05022023045379c373@mail.gmail.com>
Message-ID: <20050221082425.GB10276@malin>
On 2005-02-21 08:04:19 +0100, Spiff Traq wrote:
> > Aleksandar Milivojevic wrote:
> >
> > > local stores. Asking for 20 dekagrams (as I would do back home
> > > in Europe)
> >
> > I never realised that the prefix "deca" was used in practise at
> > all. I've always learned it to be a prefix that exists only
> > formally. What country are you from?
>
> Here in sweden we use it, we natives spell it 'hekto'
Not quite. One hectogram is 100 grams (this is one "hekto" in
Swedish). One decagram is 10 grams.
I think the only place I've ever seen the prefix "deca" used is in the
Dune books by Frank Herbert, where they measure water in decaliters.
--
Karl Hasselstr?m, kha@treskal.com
www.treskal.com/kalle
From samuel at Update.UU.SE Mon Feb 21 11:28:37 2005
From: samuel at Update.UU.SE (Samuel ]slund)
Date: Mon Feb 21 11:25:04 2005
Subject: [OT] Re: SHA1 broken?
In-Reply-To: <11e5220b05022023045379c373@mail.gmail.com>
References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl>
<11e5220b05022023045379c373@mail.gmail.com>
Message-ID: <20050221102837.GA27114@Update.UU.SE>
On Mon, Feb 21, 2005 at 08:04:19AM +0100, Spiff Traq wrote:
> > Aleksandar Milivojevic wrote:
> > >local stores. Asking for 20 dekagrams (as I would do back home in
> > >Europe)
> > I never realised that the prefix "deca" was used in practise at all.
> > I've always learned it to be a prefix that exists only formally.
> > What country are you from?
>
> Here in sweden we use it, we natives spell it 'hekto'
A 'hekto' is very closely associated with 100g of weight, if I heard it
used for measuring any thing else (except a square a with 100 meters
side 'hektar') it would be a little bit surprising.
//Samuel
From amilivojevic at pbl.ca Mon Feb 21 20:10:52 2005
From: amilivojevic at pbl.ca (Aleksandar Milivojevic)
Date: Mon Feb 21 20:07:34 2005
Subject: SHA1 broken?
In-Reply-To: <200502182130.WAA00455@vulcan.xs4all.nl>
References: <200502182130.WAA00455@vulcan.xs4all.nl>
Message-ID: <1109013052.421a323cd5e27@webmail2>
Quoting Johan Wevers
Date: Fri, 18 Feb 2005 22:30:57
> Aleksandar Milivojevic wrote:
>
> >local stores. Asking for 20 dekagrams (as I would do back home in
> >Europe)
>
> I never realised that the prefix "deca" was used in practise at all.
> I've always learned it to be a prefix that exists only formally.
> What country are you from?
From bogus@does.not.exist.com Sat Feb 19 18:06:40 2005
From: bogus@does.not.exist.com ()
Date: Mon Feb 21 20:07:35 2005
Subject: No subject
Message-ID:
quantities of cheese and salami when you go to buy them in stores. Most of
other prefixes are used too. Deci for lenght and volume (usual glass sizes are
1, 2 or 3 decliters), I heard hekto (hecto in english?) used for larger volumes
of liquids (for example, by smaller wine makers). Basically, I preatty much
heard of almost all the prefixes in normal range (from nano to tera) used for
various porupuses.
--
Aleksandar Milivojevic Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
From FHubeny at wittbiomedical.com Mon Feb 21 13:52:07 2005
From: FHubeny at wittbiomedical.com (Frank Hubeny)
Date: Tue Feb 22 12:33:25 2005
Subject: gpg141rc1, and rc2 home directory problems
Message-ID:
Hello Group;
I have found a possible problem with the two release candidates for
GPG141.
It has to do with the home directory. If I uninstall 141, and then
remove the home directory. When I reinstall the program and try to make
a key I get a error about no directory available.
I found that the uninstaller does not remove the registry entries for
141. If I uninstall gpg141, remove the home directory, then remove the
registry enties for gpg141. Then I can reinstall gpg141 and the home
directory is installed at installation.
Small problem I know. But many Window users will not clean up their
registry, it is sort of a no no for most users who are told not to do so
unless they know what to remove, and how to do so.
The work around I found is to just add manually the directory and then
all is well.
Frank Hubeny
RMA Technician
Manufacturing Dept.
Witt Biomedical Corp.
800.669.1328 ext. 179
fhubeny@wittbiomedical.com
From james at jolt.co.uk Tue Feb 22 12:18:17 2005
From: james at jolt.co.uk (James Davis)
Date: Tue Feb 22 13:10:26 2005
Subject: gpg: Oops; keylost!
Message-ID: <421B14F9.3090704@jolt.co.uk>
I get the following error from GPG which is preventing Enigmail from
displaying my public keyring.
E:/gnupg\pubring.gpg
--------------------
gpg: Oops; key lost!
followed by a list of mine and my colleague's key.
What's causing this error and how can I fix it? I've searched the web
but with little luck.
Thanks,
James
From dshaw at jabberwocky.com Tue Feb 22 14:46:52 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue Feb 22 14:43:41 2005
Subject: gpg: Oops; keylost!
In-Reply-To: <421B14F9.3090704@jolt.co.uk>
References: <421B14F9.3090704@jolt.co.uk>
Message-ID: <20050222134652.GB31030@jabberwocky.com>
On Tue, Feb 22, 2005 at 11:18:17AM +0000, James Davis wrote:
> I get the following error from GPG which is preventing Enigmail from
> displaying my public keyring.
>
> E:/gnupg\pubring.gpg
> --------------------
> gpg: Oops; key lost!
>
> followed by a list of mine and my colleague's key.
Can you send what GnuPG prints after that error? It indicates what
happened.
In general, though, your pubring.gpg is probably corrupt.
David
From DBSMITH at OhioHealth.com Tue Feb 22 16:19:20 2005
From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com)
Date: Tue Feb 22 16:15:33 2005
Subject: question on multiple public keys
In-Reply-To: <20031015115220.GB1859@jabberwocky.com>
Message-ID:
All
Is there a way that we can add a second key to my file for gpg encryption?
Our DBA in the Import Team needs to have this done so that he can open our
file as well. When this person is out of the office, no one else is able
to access your file unless they can access his computer. We would like to
add another user to the keyring so that he can access your data as well.
please advise!
THANK YOU,
I looked through some emails I saved and found this:
Yes, this is possible. In each user's gpg.conf file, add a line
reading:
keyring /path/to/the/shared/keyring.gpg
Note that when importing a key, each user will import to their own
local keyring unless they specifically state they want to import to
the shared keyring. Likely you don't want the shared keyring to be
imported to by random users, so making it read-only is appropriate.
Derek B. Smith
OhioHealth IT
UNIX / TSM / EDM Teams
614-566-4145
From technojoecoolusa at charter.net Tue Feb 22 17:08:37 2005
From: technojoecoolusa at charter.net (Joseph D. Wagner)
Date: Tue Feb 22 17:04:19 2005
Subject: Unable to Sign RPM Packages
Message-ID: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net>
I posted this a few days ago, but I didn't get any response.
---------------------------------------------------------------------------
While attempting to sign an RPM package I created using the command:
rpm --addsign _packagename_
I got an error message saying the pass phrase is invalid.
I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command:
gpg --gen-key
and entered "123" as the passphrase.
No effect. I still get an error message that tells me the pass phrase is wrong. I know I'm typing "123" correctly, so what else could be set incorrectly that would give me this error message?
~/.rpmmacros is as follows:
%_signature gpg
%_gpg_path /home/joseph/.gnupg
%_gpg_name Joseph D. Wagner (For Use with Fedora Core 3)
TIA.
Joseph D. Wagner
From brunij at earthlink.net Wed Feb 23 02:41:48 2005
From: brunij at earthlink.net (Joseph Bruni)
Date: Wed Feb 23 03:11:57 2005
Subject: question on multiple public keys
In-Reply-To:
References:
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Another solution would be to make sure that you encrypt the file to all
the users who should be able to decrypt that file. You can have
multiple "--recipient" entries on the command line. Check out the
"group" functions as well to simplify this process.
- -Joe
On Feb 22, 2005, at 8:19 AM, DBSMITH@OhioHealth.com wrote:
> All
>
> Is there a way that we can add a second key to my file for gpg
> encryption?
> Our DBA in the Import Team needs to have this done so that he can open
> our
> file as well. When this person is out of the office, no one else is
> able
> to access your file unless they can access his computer. We would
> like to
> add another user to the keyring so that he can access your data as
> well.
>
> please advise!
>
> THANK YOU,
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
iQEVAwUBQhvfYlGV1jrNVRjHAQg2Qwf/WrjFsFIHIcRqA7pUKfz7V1SHumURD9kj
IJShLCzbPSukB7K5tGQcKoM2o4UzqznFiArmev7Nj+0j2GJepPufpMVKsqzes4VI
uH6fjKlcJNktObx0/CsQI59QPWZ91NQplgzGTx+YJsnlVO/cvl4j1SnXvthgPug6
GRtdSWk0AFp4lHtTDPm9qHT9cHuuSanrQqc5McrZLAXWARtqChOy8hj69n6hEREd
e2MXGHwxH6NgfIfjleECQXV7OPALyEZXhB1Q366O0Cq7YkFOUUTUuIwXI/tpO1/o
o6KVOLDGXt1Y9u92lneaQpmtxvKITf7QxRKrHsZDkdLbp+KXh6pEsQ==
=Nl6j
-----END PGP SIGNATURE-----
From dhcalva at comcast.net Wed Feb 23 15:57:38 2005
From: dhcalva at comcast.net (David Calvarese)
Date: Wed Feb 23 16:29:31 2005
Subject: gpg.conf
Message-ID: <421C99E2.8060509@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hey all,
I was wondering if there's any place on the web (or anywhere) that I can
find out all the parameters that can be used in the gpg.conf file and
their syntax. Especially parameters dealing with
cipher/hash/compression preferences.
Daev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCHJniSlxKVhydU2ARA9ZDAJwLLynAeWuU2hu17ICiGDhHw6CxPACghbGq
4ut3/8ZMgBnBgCnmeVNob3o=
=Bf/9
-----END PGP SIGNATURE-----
From atom at smasher.org Wed Feb 23 16:43:27 2005
From: atom at smasher.org (Atom Smasher)
Date: Wed Feb 23 16:39:29 2005
Subject: gpg.conf
In-Reply-To: <421C99E2.8060509@comcast.net>
References: <421C99E2.8060509@comcast.net>
Message-ID: <20050223154307.14952.qmail@smasher.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On Wed, 23 Feb 2005, David Calvarese wrote:
> I was wondering if there's any place on the web (or anywhere) that I can
> find out all the parameters that can be used in the gpg.conf file and
> their syntax. Especially parameters dealing with
> cipher/hash/compression preferences.
================
it's all in the man page. just about all of the long options can be used
in the config file, just leave off the two leading dashes.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"If you take out the killings, Washington
actually has a very very low crime rate."
-- M. Barry, Mayor of Washington, DC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBAwAGBQJCHKSlAAoJEAx/d+cTpVci28EIAJ1e1hSNxsabDyy2jDCi481F
VXwVrDZDqCVsJqLuypJi4lVWceqTc+FNDd8EhPb1vPIXtmKxxa2n4CbDf3DGQnKy
bCltisstlkGzr17D2MO3Rs0ufmzhcLUgchPd57PeVwUFAANmIX9ZQU2wQtvAEQo7
UF/UaUUKLZhRT/iBX0eiLja+P410uYZcaSfgbsgiotCk3P/NMQUG8Axf2lzYtcLr
bb51RZ79GuZCMZNgC2ifZqRbWjkBZUVhmZVpB2Q3hecLxRfIU7NQAvmREJKgZ6UH
BbLQ+nakdwHEFA1cPGMjqun2A6PHqOJEWCbyq4fGVB66XQmlPkKEmctGy3gpFUI=
=KIzE
-----END PGP SIGNATURE-----
From sckbr at alltel.net Wed Feb 23 18:56:31 2005
From: sckbr at alltel.net (Bob)
Date: Wed Feb 23 20:07:52 2005
Subject: Revocation certificate created?
Message-ID: <421CC3CF.90501@alltel.net>
Where have I created this revocation certificate, that I might copy and
remove it from my H/D?
--
Bob
From pt at radvis.nu Wed Feb 23 20:24:38 2005
From: pt at radvis.nu (Per Tunedal Casual)
Date: Wed Feb 23 20:18:17 2005
Subject: SHA1 broken?
Message-ID: <6.1.2.0.2.20050223202432.03bf8640@localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
I read their pressrelease as a statement that they will implement the same
features as in the latest release of GnuPG (1.4.0).
There is nothing about the hottest topic:
signing of keys (self signatures and signatures from others)
Per Tunedal
Keyid: 0xAE053BE0
Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0
At 11:18 2005-02-21, you wrote:
>I just read that the PGP Corporation will advance to
>SHA-256 and SHA-512 (http://www.pgp.com/news/sha1.html).
>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955
Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html
iD8DBQFCHNiUpPsTvNtsBX8RAj/YAKCU22cKZnjl1WJMol4kvOBewljSKwCfT7ZE
zaTqzM6v7jvh9eiXBXgjglI=
=twXu
-----END PGP SIGNATURE-----
From zuxy.meng at gmail.com Wed Feb 23 20:34:50 2005
From: zuxy.meng at gmail.com (Zuxy)
Date: Wed Feb 23 20:31:26 2005
Subject: gpg.conf
In-Reply-To: <421C99E2.8060509@comcast.net>
References: <421C99E2.8060509@comcast.net>
Message-ID:
On Wed, 23 Feb 2005 09:57:38 -0500, David Calvarese wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Hey all,
>
> I was wondering if there's any place on the web (or anywhere) that I can
> find out all the parameters that can be used in the gpg.conf file and
> their syntax. Especially parameters dealing with
> cipher/hash/compression preferences.
>
My FC3 distro includes a vim syntax file for gpg.conf which might help.
--
Zuxy
Beauty is truth,
While truth is beauty.
PGP KeyID: E8555ED6
From cs at rubeo.nl Wed Feb 23 19:47:50 2005
From: cs at rubeo.nl (Cees)
Date: Wed Feb 23 20:44:14 2005
Subject: HI all!
Message-ID: <1741006316.20050223194750@rubeo.nl>
Het is woensdag 23 februari 2005 en 19:46:16 uur :
Hi gnupg-users,
just a little testing message to see if I'm there...
and also a check to see if my signature still remains BAD for no reason
at all. Am having a little trouble with gnupg to get this to work
properly.
--
regards,
Cees
Never run after buses or women: you'll always get left behind.
__________________________________________________________________________________________
The Bat! 3.0.9.1 Deep Alpha [A12F0392] running on Windows XP 5.1 build 2600 Service Pack 2
Deze mail is afkomstig uit het Rubeodomein en dus gegarandeerd virusvrij!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : /pipermail/attachments/20050223/3c0342a0/attachment-0001.pgp
From j.breier at gmx.de Wed Feb 23 23:26:16 2005
From: j.breier at gmx.de (Jakob)
Date: Thu Feb 24 00:14:24 2005
Subject: Which key type for offline signing key + how to get a trusted copy
of gpg signing key
Message-ID: <421D0308.9050701@gmx.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I want to create a key only used for key signing (on an offline system
with Knoppix). As I recently read that 1024bit DSA-keys are quite small
for long time security (let's say 10 years) I wondered whether I should
use a 4048bit RSA-key instead. Is there any reason not to do so?
The Knoppix version I use only comes with GPG 1.2.4 or similar. I would
like to upgrade to GPG 1.4, but have no idea how to get a verified copy
of the GPG signing key (57548DCD). How did you verify your first copy of
this key?
Sorry for my english, and thanks for any replies.
Jakob Breier.
__________
2005-02-23
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFCHQK5kQFTRHuGzGgRAuVzAJ98w//E9x2zXUIQwNvX0oLUQJAmMQCfcNdj
lX7R4Iz5+fhzsDLgeCI/ceg=
=iFXx
-----END PGP SIGNATURE-----
From timemaster at sillydog.org Thu Feb 24 06:31:56 2005
From: timemaster at sillydog.org (David Vallier)
Date: Thu Feb 24 06:28:15 2005
Subject: HI all!
In-Reply-To: <1741006316.20050223194750@rubeo.nl>
References: <1741006316.20050223194750@rubeo.nl>
Message-ID: <421D66CC.8020006@sillydog.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cees wrote:
>Het is woensdag 23 februari 2005 en 19:46:16 uur :
>
>Hi gnupg-users,
>
> just a little testing message to see if I'm there...
> and also a check to see if my signature still remains BAD for no reason
> at all. Am having a little trouble with gnupg to get this to work
> properly.
>
>
>----------------------------------------------------------------------
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
It showed bad over here, this is the error dialog from Enigmail;
gpg: unexpected armor: -----BEGIN PGP MESSAGE-----\r\n
gpg: Signature made 02/23/05 11:47:50 Mountain Standard Time
gpg: using DSA key 1E0D0B2F31F37526
gpg: requesting key 1E0D0B2F31F37526 from hkp server
sks.keyserver.penguin.de
gpg: key 1E0D0B2F31F37526: public key "Cees Schouten (Rubeo)
" imported
[GNUPG:] IMPORTED 1E0D0B2F31F37526 Cees Schouten (Rubeo)
[GNUPG:] IMPORT_OK 1 994E630646B53E8430E8C2131E0D0B2F31F37526
gpg: Total number processed: 1
gpg: imported: 1
[GNUPG:] IMPORT_RES 1 0 1 0 0 0 0 0 0 0 0 0 0 0
[GNUPG:] BADSIG 1E0D0B2F31F37526 Cees Schouten (Rubeo)
gpg: BAD signature from "Cees Schouten (Rubeo) "
Maybe the above will help
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iEYEARECAAYFAkIdZswACgkQCT6ogSjnGK/2pwCeIa+CTKtUWoE1QgGL+4eG8NBe
iNMAoLqNIeRz8IhoT8IphCej/nIkeHjx
=nGO/
-----END PGP SIGNATURE-----
From wk at gnupg.org Thu Feb 24 09:46:37 2005
From: wk at gnupg.org (Werner Koch)
Date: Thu Feb 24 09:46:16 2005
Subject: Which key type for offline signing key + how to get a trusted
copy of gpg signing key
In-Reply-To: <421D0308.9050701@gmx.de> (j.breier@gmx.de's message of "Wed,
23 Feb 2005 23:26:16 +0100")
References: <421D0308.9050701@gmx.de>
Message-ID: <873bvm73bm.fsf@wheatstone.g10code.de>
On Wed, 23 Feb 2005 23:26:16 +0100, Jakob said:
> with Knoppix). As I recently read that 1024bit DSA-keys are quite
> small for long time security (let's say 10 years) I wondered whether I
> should use a 4048bit RSA-key instead. Is there any reason not to do so?
Nowadays it seems that the hash algorithms are the major weakness
digital signatures; so a longer KEy does gain you anything excpept for
preety long and slow signatures. You might want to use a 2k RSA key
so that you can use SHA-256. However, the only MUST algorithm for signing in
OpenPGP is DSA and SHA-1 so by using RSA not everyone will be able to
make use of your key sigtnatures.
> verified copy of the GPG signing key (57548DCD). How did you verify
Signed by me and my key is pretty well connected in the web of trust -
go and check the signatures on my key. See Mail header for the
canonical source of my key in case your keyserver is old and dusted.
Shalom-Salam,
Werner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : /pipermail/attachments/20050224/a3329c12/attachment.pgp
From a_entin at hotmail.com Tue Feb 22 17:14:55 2005
From: a_entin at hotmail.com (Ari Entin)
Date: Thu Feb 24 11:05:03 2005
Subject: Problem With Decrypting Messages In Outlook 2003 w/ Gdata plugin
Message-ID:
Hi,
* Forgive me if this is a repost. I do not believe the original went
through. *
I am having problems with decrypting a plain text messages in Outlook 2003:
When opening the message, the plugin prompts or my passphrase. I type it
and then message then appears unencrypted. When I choose to decrypt the
message, I get an error stating "The message is neither encrypted nor
signed." If I include attachments, they decrypt just fine! Its seems to be
limited to text messages. Note that the message types were all in plain
next (not HTML or RTF) and Word editing is turned OFF. I have tried on a few
different PC's, OS's, etc. Same problem! Anyone aware of this issue or
knows of a cure? Thanks!
Environment:
* OS - Windows XP
* GNUPG version - Tried both 1.2.5 & 1.4.0a
* Outlook Plugin - Gdata G10 v. 0.94
* Outlook version: Tried both Outlook 2000 & 2003.
* Shell - GPG Shell v. 3.32
Ari Entin
From ml at bitfalle.org Thu Feb 24 13:52:10 2005
From: ml at bitfalle.org (markus reichelt)
Date: Thu Feb 24 13:48:55 2005
Subject: Chemnitzer Linuxtage 2005
Message-ID: <20050224125210.GA12113@dantooine>
Hi list,
this might be of interest to German subscribers.
In 9 days there's the "Chemnitzer Linux-Tage 2005".
http://chemnitzer.linux-tage.de/2005/info/
Of course there will be a Key Signing Party again, but you have to
send in your public key(s) by tomorrow at he latest if you want to
participate.
I'll attend so maybe see you there.
--
Bastard Administrator in $hell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050224/38af853d/attachment.pgp
From sk at intertivity.com Thu Feb 24 14:17:41 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu Feb 24 14:13:55 2005
Subject: Chemnitzer Linuxtage 2005
In-Reply-To: <20050224125210.GA12113@dantooine>
References: <20050224125210.GA12113@dantooine>
Message-ID: <421DD3F5.8060509@intertivity.com>
Well, i will not be at the "Chemnitzer Linux-Tage 2005" but
i will be at the "12. Workshop 'Sicherheit in vernetzten Systemen'" of
DFN-CERT ( http://www.dfn-cert.de/events/ws/2005/ ).**
Is anybody else going to be there?
Have
esskar
markus reichelt schrieb:
>Hi list,
>
>this might be of interest to German subscribers.
>
>In 9 days there's the "Chemnitzer Linux-Tage 2005".
>http://chemnitzer.linux-tage.de/2005/info/
>
>Of course there will be a Key Signing Party again, but you have to
>send in your public key(s) by tomorrow at he latest if you want to
>participate.
>
>I'll attend so maybe see you there.
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
From og at pre-secure.de Thu Feb 24 18:34:16 2005
From: og at pre-secure.de (Olaf Gellert)
Date: Thu Feb 24 18:34:45 2005
Subject: Chemnitzer Linuxtage 2005
In-Reply-To: <421DD3F5.8060509@intertivity.com>
References: <20050224125210.GA12113@dantooine>
<421DD3F5.8060509@intertivity.com>
Message-ID: <421E1018.1010709@pre-secure.de>
Sascha Kiefer wrote:
> Well, i will not be at the "Chemnitzer Linux-Tage 2005" but
> i will be at the "12. Workshop 'Sicherheit in vernetzten Systemen'" of
> DFN-CERT ( http://www.dfn-cert.de/events/ws/2005/ ).**
> Is anybody else going to be there?
Yes, me and the other guys from DFN-CERT and PRESECURE,
a good opportunity to push your key far up in the web
of trust... :-)
I think there will be no explicit keysigning party
as in the last two years, so bring your keyinfos
(keyID, userID and fingerprint, and better a few
copies of this) and your passport with you...
my keyIDs: 4403EB31, 799241C1, 48285EB9 & AFD42D45
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
From sk at intertivity.com Thu Feb 24 20:32:03 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Thu Feb 24 20:28:03 2005
Subject: Check if file is a key file
Message-ID: <001901c51aa7$84e2e4d0$f300a8c0@HOME>
Hi you,
As i'm writing a program that automates the gnupg stuff and i want to achive
the following:
I have a file. Maybe it is a valid key file or it is not. But i want that
gnupg finds
it out for me. My idea was to use dry-run and import: if gnupg is possible
to import
something then I'm sure the file is a key file (or at least, it has an key
in it).
This works fine if the file contains just one key but if the file contains
about 1000-5000
Key,s things are getting slow. So is there a command that tests a file?
Thanks.
Sascha
From og at pre-secure.de Thu Feb 24 21:34:14 2005
From: og at pre-secure.de (Olaf Gellert)
Date: Thu Feb 24 21:34:19 2005
Subject: Check if file is a key file
In-Reply-To: <001901c51aa7$84e2e4d0$f300a8c0@HOME>
References: <001901c51aa7$84e2e4d0$f300a8c0@HOME>
Message-ID: <421E3A46.2040101@pre-secure.de>
Kiefer, Sascha wrote:
> As i'm writing a program that automates the gnupg stuff and i want to achive
> the following:
> I have a file. Maybe it is a valid key file or it is not. But i want that
> gnupg finds
> it out for me. My idea was to use dry-run and import: if gnupg is possible
> to import
> something then I'm sure the file is a key file (or at least, it has an key
> in it).
> This works fine if the file contains just one key but if the file contains
> about 1000-5000
> Key,s things are getting slow. So is there a command that tests a file?
What else could the file be? If I just use the unix command
"file" on some files, I already get the following:
> file .gnupg/pubring.gpg
.gnupg/pubring.gpg: data
> file .gnupg/secring.gpg
.gnupg/secring.gpg: PGP key security ring
> file gellert.asc
gellert.asc: PGP armored data public key block
So it does not recognize a GPG public keyring, but it
does recognize secret keyrings and ASCII-armored keys.
Or do you need something that really checks if the
file contains a VALID key?
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
From sk at intertivity.com Thu Feb 24 21:45:02 2005
From: sk at intertivity.com (Kiefer, Sascha)
Date: Thu Feb 24 21:41:17 2005
Subject: Check if file is a key file
In-Reply-To: <421E3A46.2040101@pre-secure.de>
Message-ID: <000701c51ab1$b6fb8e40$f300a8c0@HOME>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yep. It can be X.509 certificate, or a PKCS#12 file; they will be handled
differently.
Or maybe somebody selects a totally different file, and so on!
Bye the way, i'm looking for a windows solution.
> -----Original Message-----
> From: Olaf Gellert [mailto:og@pre-secure.de]
> Sent: Donnerstag, 24. Februar 2005 21:34
> To: sk@intertivity.com
> Cc: gnupg-users@gnupg.org
> Subject: Re: Check if file is a key file
>
>
> Kiefer, Sascha wrote:
>
> > As i'm writing a program that automates the gnupg stuff and
> i want to
> > achive the following: I have a file. Maybe it is a valid
> key file or
> > it is not. But i want that gnupg finds
> > it out for me. My idea was to use dry-run and import: if
> gnupg is possible
> > to import
> > something then I'm sure the file is a key file (or at
> least, it has an key
> > in it).
> > This works fine if the file contains just one key but if
> the file contains
> > about 1000-5000
> > Key,s things are getting slow. So is there a command that
> tests a file?
>
> What else could the file be? If I just use the unix command
> "file" on some files, I already get the following:
>
> > file .gnupg/pubring.gpg
> .gnupg/pubring.gpg: data
> > file .gnupg/secring.gpg
> .gnupg/secring.gpg: PGP key security ring
> > file gellert.asc
> gellert.asc: PGP armored data public key block
>
> So it does not recognize a GPG public keyring, but it
> does recognize secret keyrings and ASCII-armored keys.
>
> Or do you need something that really checks if the
> file contains a VALID key?
>
> Cheers, Olaf
>
> --
> Dipl.Inform. Olaf Gellert PRESECURE (R)
> Senior Researcher, Consulting GmbH
> Phone: (+49) 0700 / PRESECURE og@pre-secure.de
>
> A daily view on Internet Attacks
> https://www.ecsirt.net/sensornet
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQh48zQInDejiptdCEQJ8hgCgzkdMW04wIarv15d+S8hMXQbo8VMAoL7F
DFTS+BDD3SAaa/F46Te+kcyO
=9x/V
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Thu Feb 24 23:15:26 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 24 23:12:21 2005
Subject: gpg.conf
In-Reply-To: <421C99E2.8060509@comcast.net>
References: <421C99E2.8060509@comcast.net>
Message-ID: <20050224221526.GB29245@jabberwocky.com>
On Wed, Feb 23, 2005 at 09:57:38AM -0500, David Calvarese wrote:
> Hey all,
>
> I was wondering if there's any place on the web (or anywhere) that I can
> find out all the parameters that can be used in the gpg.conf file and
> their syntax. Especially parameters dealing with
> cipher/hash/compression preferences.
The man page gives all the options, but if someone is looking for a
nice project to do, a web page with each option and commentary would
be a great thing to point people to when they have questions.
David
From dshaw at jabberwocky.com Thu Feb 24 23:16:56 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu Feb 24 23:13:31 2005
Subject: Unable to Sign RPM Packages
In-Reply-To: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net>
References: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net>
Message-ID: <20050224221656.GC29245@jabberwocky.com>
On Tue, Feb 22, 2005 at 10:08:37AM -0600, Joseph D. Wagner wrote:
> I posted this a few days ago, but I didn't get any response.
>
> ---------------------------------------------------------------------------
>
> While attempting to sign an RPM package I created using the command:
>
> rpm --addsign _packagename_
>
> I got an error message saying the pass phrase is invalid.
>
> I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command:
>
> gpg --gen-key
>
> and entered "123" as the passphrase.
>
> No effect. I still get an error message that tells me the pass
> phrase is wrong. I know I'm typing "123" correctly, so what else
> could be set incorrectly that would give me this error message?
>
> ~/.rpmmacros is as follows:
>
> %_signature gpg
> %_gpg_path /home/joseph/.gnupg
> %_gpg_name Joseph D. Wagner (For Use with Fedora Core 3)
Do things work properly without rpm calling gpg for you? That is, can
you sign any old file 'gpg --sign foo' ?
If so, then you need to ask the rpm folks for help, since gpg is
working properly.
David
From dhcalva at comcast.net Fri Feb 25 02:04:39 2005
From: dhcalva at comcast.net (David Calvarese)
Date: Fri Feb 25 02:36:00 2005
Subject: gpg.conf
In-Reply-To: <20050224221526.GB29245@jabberwocky.com>
References: <421C99E2.8060509@comcast.net>
<20050224221526.GB29245@jabberwocky.com>
Message-ID: <421E79A7.4000004@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
David Shaw wrote:
> On Wed, Feb 23, 2005 at 09:57:38AM -0500, David Calvarese wrote:
>> Hey all,
>>
>> I was wondering if there's any place on the web (or anywhere) that I can
>> find out all the parameters that can be used in the gpg.conf file and
>> their syntax. Especially parameters dealing with
>> cipher/hash/compression preferences.
>
> The man page gives all the options, but if someone is looking for a
> nice project to do, a web page with each option and commentary would
> be a great thing to point people to when they have questions.
That would be great to have. In fact, that's about what I was looking
for. The man page is also a lot to slog through to find something. I'm
surprised there isn't a 'man gpg.conf' file like there is for a lot of
other programs.
- --
Dave Calvarese
PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-dh.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCHnmkSlxKVhydU2ARAxUtAJ9cMn3vWgng1iQp/JiezvFPtsI1MwCeL/rN
4ppDSzixVndbxuPpnyA/BWM=
=ZzHc
-----END PGP SIGNATURE-----
From wk at gnupg.org Fri Feb 25 10:18:52 2005
From: wk at gnupg.org (Werner Koch)
Date: Fri Feb 25 10:16:12 2005
Subject: gpg.conf
In-Reply-To: <20050224221526.GB29245@jabberwocky.com> (David Shaw's message
of "Thu, 24 Feb 2005 17:15:26 -0500")
References: <421C99E2.8060509@comcast.net>
<20050224221526.GB29245@jabberwocky.com>
Message-ID: <87fyzl2e0z.fsf@wheatstone.g10code.de>
On Thu, 24 Feb 2005 17:15:26 -0500, David Shaw said:
> The man page gives all the options, but if someone is looking for a
> nice project to do, a web page with each option and commentary would
> be a great thing to point people to when they have questions.
Indeed. I'll ask the web people who we can do that the best way.
It would also be a nice project to enhance the outdated Gnu Privacy
Handbook.
Salam-Shalom,
Werner
From sk at intertivity.com Fri Feb 25 10:51:36 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 25 10:47:41 2005
Subject: WARNING: key contains preferences for unavailable
Message-ID: <421EF528.9020102@intertivity.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
some keys - spezially the ones created with PGP - throw the above
warning when they are imported.
I know that i shutdown the message using --batch and --quiet but lets
say i want to use this key
for encrypting or signing will it work or will i be asked again?
Thanks.
Sascha
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQh71EAInDejiptdCEQKBjQCfZ7d3UTD8oHqK2wihl6UlHU+pYyIAmwVP
WhxhG58lyA+xiS1tgHNJDA+4
=pqTm
-----END PGP SIGNATURE-----
From quillo1978 at gmail.com Fri Feb 25 11:06:08 2005
From: quillo1978 at gmail.com (Quillo)
Date: Fri Feb 25 11:01:31 2005
Subject: GPG for windows
Message-ID: <1109325968.4002.24.camel@localhost.localdomain>
Hi,
Can anybody recommend me what software should I install for a windows outlook machine? It's for people completely new to gpg and I need it to be simple and robust, not neccesarily flexible and powerful.
I have downloaded the windows client from gnupg.org and the Gdata plugin for outlook, but I don't know if it's the best option for my needs.
Thanks a lot
Angel
From patrick at mozilla-enigmail.org Fri Feb 25 11:50:14 2005
From: patrick at mozilla-enigmail.org (Patrick Brunschwig)
Date: Fri Feb 25 12:31:19 2005
Subject: Revocation certificate created?
In-Reply-To: <421CC3CF.90501__44754.7800526538$1109191889$gmane$org@alltel.net>
References: <421CC3CF.90501__44754.7800526538$1109191889$gmane$org@alltel.net>
Message-ID: <421F02E6.8030000@mozilla-enigmail.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bob wrote:
> Where have I created this revocation certificate, that I might copy and
> remove it from my H/D?
Wherever you saved it :-) Enigmail does not have a default location.
You can search on your harddisk for all *.asc files to find it.
- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCHwLm2KgHx8zsInsRAhsKAKCJfmRkT4GMFgyMZ9GqN3ABsSGmCACgwaVV
lMefCUlEEzmfks2bJ+Qln6U=
=CLdw
-----END PGP SIGNATURE-----
From johanw at vulcan.xs4all.nl Fri Feb 25 13:36:22 2005
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri Feb 25 13:41:45 2005
Subject: WARNING: key contains preferences for unavailable
In-Reply-To: <421EF528.9020102@intertivity.com> from Sascha Kiefer at "Feb 25,
2005 10:51:36 am"
Message-ID: <200502251236.NAA04231@vulcan.xs4all.nl>
Sascha Kiefer wrote:
>I know that i shutdown the message using --batch and --quiet but lets say i
>want to use this key for encrypting or signing will it work or will i be
>asked again?
I don't know. I guess the key has preferences for IDEA, that GnuPG doesn't
support ot of the box. Install the IDEA plugin or place idea.c in the
cipher dir before compiling and you support it.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From dshaw at jabberwocky.com Fri Feb 25 14:48:47 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 25 14:45:34 2005
Subject: WARNING: key contains preferences for unavailable
In-Reply-To: <421EF528.9020102@intertivity.com>
References: <421EF528.9020102@intertivity.com>
Message-ID: <20050225134847.GA29689@jabberwocky.com>
On Fri, Feb 25, 2005 at 10:51:36AM +0100, Sascha Kiefer wrote:
> Hi,
>
> some keys - spezially the ones created with PGP - throw the above
> warning when they are imported. I know that i shutdown the message
> using --batch and --quiet but lets say i want to use this key for
> encrypting or signing will it work or will i be asked again?
That warning message means pretty much what it says. PGP creates keys
with preferences that advertise the use of algorithms that GnuPG
doesn't support. GnuPG is warning you that if you use that public key
without fixing the preferences, someone may try and follow those
incorrect preferences and send you something you can't decrypt.
Since you mention PGP, it's probably a case of missing IDEA.
Note this only happens when importing a secret key along with a public
key (or importing a secret key for which you already have a public key
or vice versa).
You should answer 'yes' to the question and allow GnuPG to fix your
preferences.
David
From sk at intertivity.com Fri Feb 25 15:02:07 2005
From: sk at intertivity.com (Sascha Kiefer)
Date: Fri Feb 25 14:58:20 2005
Subject: WARNING: key contains preferences for unavailable
In-Reply-To: <20050225134847.GA29689@jabberwocky.com>
References: <421EF528.9020102@intertivity.com>
<20050225134847.GA29689@jabberwocky.com>
Message-ID: <421F2FDF.9050100@intertivity.com>
But then I have to (re-)submit the key, right?
David Shaw schrieb:
>You should answer 'yes' to the question and allow GnuPG to fix your
>preferences.
>
>
From dshaw at jabberwocky.com Fri Feb 25 15:11:06 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 25 15:07:48 2005
Subject: WARNING: key contains preferences for unavailable
In-Reply-To: <421F2FDF.9050100@intertivity.com>
References: <421EF528.9020102@intertivity.com>
<20050225134847.GA29689@jabberwocky.com>
<421F2FDF.9050100@intertivity.com>
Message-ID: <20050225141105.GB29689@jabberwocky.com>
On Fri, Feb 25, 2005 at 03:02:07PM +0100, Sascha Kiefer wrote:
> David Shaw schrieb:
>
> >You should answer 'yes' to the question and allow GnuPG to fix your
> >preferences.
> But then I have to (re-)submit the key, right?
To a keyserver or to who you are communicating with? Yes. The point
is that your correspondent will use those preferences to decide what
algorithms to use when communicating with you. He or she needs this
updated key to get the correct algorithm list.
David
From DougChamberlin at Earthlink.net Fri Feb 25 14:47:56 2005
From: DougChamberlin at Earthlink.net (Doug Chamberlin)
Date: Fri Feb 25 15:18:18 2005
Subject: Moving key rings?
Message-ID: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org>
I have installed GPG on a development machine and used this configuration
to generate a key pair. I have also imported public keys from others.
I now need to copy the key rings being used to a production machine.
Do I have to export my secret key and import it on the production machine
(along with the other public keys)? Can't I just copy the entire GnuPG
directory to the new machine and expect everything to work fine?
Using Windows XP 2000 and GPG 1.4.0
From dshaw at jabberwocky.com Fri Feb 25 15:30:40 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri Feb 25 15:27:15 2005
Subject: Moving key rings?
In-Reply-To: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org>
References: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org>
Message-ID: <20050225143040.GC29689@jabberwocky.com>
On Fri, Feb 25, 2005 at 08:47:56AM -0500, Doug Chamberlin wrote:
> I have installed GPG on a development machine and used this configuration
> to generate a key pair. I have also imported public keys from others.
>
> I now need to copy the key rings being used to a production machine.
>
> Do I have to export my secret key and import it on the production machine
> (along with the other public keys)? Can't I just copy the entire GnuPG
> directory to the new machine and expect everything to work fine?
Yes.
(exporting and reimporting works also)
David
From JPClizbe at comcast.net Fri Feb 25 18:34:33 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Fri Feb 25 18:31:12 2005
Subject: GPG for windows
In-Reply-To: <1109325968.4002.24.camel@localhost.localdomain>
References: <1109325968.4002.24.camel@localhost.localdomain>
Message-ID: <421F61A9.5030104@comcast.net>
Quillo wrote:
> Hi,
>
> Can anybody recommend me what software should I install for a windows
outlook machine? It's for people completely new to gpg and I need it to be
simple and robust, not neccesarily flexible and powerful.
>
> I have downloaded the windows client from gnupg.org and the Gdata
> plugin for outlook, but I don't know if it's the best option for my
> needs.
The only other option for Outlook is PGP.
If other clients are an option, take a look at Thunderbird + Enigmail.
Information on Enigmail is at http://enigmail.mozdev.org.
Another client that I've heard supports GnuPG is The Bat.
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 434 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050225/aeccc6d7/signature.pgp
From JPClizbe at comcast.net Fri Feb 25 18:35:24 2005
From: JPClizbe at comcast.net (John Clizbe)
Date: Fri Feb 25 18:32:02 2005
Subject: Moving key rings?
In-Reply-To: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org>
References: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org>
Message-ID: <421F61DC.2090408@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doug Chamberlin wrote:
> I have installed GPG on a development machine and used this configuration
> to generate a key pair. I have also imported public keys from others.
>
> I now need to copy the key rings being used to a production machine.
>
> Do I have to export my secret key and import it on the production machine
> (along with the other public keys)? Can't I just copy the entire GnuPG
> directory to the new machine and expect everything to work fine?
Yes copying will work. You need the three *.gpg files as well as gpg.conf.
You can also copy the secret and public keyrings to a temp directory on
the new machine and import them directly.
The caveat on importing or export/importing is that secret keys are not
merged and ultimate trust will need to set set for each keypair.
> Using Windows XP 2000 and GPG 1.4.0
- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the ?33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCH2HaHQSsSmCNKhARAnOaAJ9RZGzYQGQOL9sBZ5AhOT0pqbOxTgCfXMgz
6d/5gXOTu5VKT8VFmZ/kY5U=
=vJPO
-----END PGP SIGNATURE-----
From finalcut at videotron.ca Fri Feb 25 18:40:01 2005
From: finalcut at videotron.ca (The Final Cut)
Date: Fri Feb 25 18:37:33 2005
Subject: Checking signature on thebat email client
Message-ID: <1459044394.20050225124001@videotron.ca>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, how can I make gnupg look on internet for signature if I want to verify signature from users?
When I clic the check icon, a popup accur saying can't verify. Is it possible to make it look on key websites?
thanks
- --
The FinalCut
finalcut@videotron.ca
TheBat 3.0.2.10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32)
iD8DBQFCH2L1mZdOAsVmU04RAsVaAJ474RlanZZesOL7ZB+LAtNNoBwJfgCgldmg
e9ZkfjKDx75ehymzr0X0B9c=
=FlMs
-----END PGP SIGNATURE-----
From linux at codehelp.co.uk Fri Feb 25 19:16:39 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Fri Feb 25 19:13:02 2005
Subject: Checking signature on thebat email client
In-Reply-To: <1459044394.20050225124001@videotron.ca>
References: <1459044394.20050225124001@videotron.ca>
Message-ID: <200502251816.40360.linux@codehelp.co.uk>
On Friday 25 February 2005 5:40 pm, The Final Cut wrote:
> gpgkeys: key 99974E02C566534E not found on keyserver
> Hello, how can I make gnupg look on internet for signature if I want to
> verify signature from users?
Put this in your .gnupg/gpg.conf
keyserver hkp://subkeys.pgp.net
keyserver-options auto-key-retrieve
> When I clic the check icon, a popup accur saying can't verify. Is it
> possible to make it look on key websites?
You meant keyservers.
You also need to send your public key to a keyserver:
> gpgkeys: key 99974E02C566534E not found on keyserver
$ gpg --keyserver subkeys.pgp.net --send-key 0xC566534E
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050225/fc5fa534/attachment.pgp
From mreese at calarts.edu Fri Feb 25 20:01:39 2005
From: mreese at calarts.edu (Melissa Reese)
Date: Fri Feb 25 20:52:28 2005
Subject: GPG for windows
In-Reply-To: <421F61A9.5030104@comcast.net>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net>
Message-ID: <562501.20050225110139@calarts.edu>
Hi John,
On Friday, February 25, 2005, at 9:34:33 AM PST, you wrote:
> Another client that I've heard supports GnuPG is The Bat.
Indeed it does. Full integration with either GnuPG or PGP, including
PGP/MIME with both. The integrated support for both is built in, so
there's no need for third party plug-ins.
Though Windows users can use GnuPG as a purely command line program as
well, there are a couple of GUI front ends that can make it just as
easy, and in some ways better than using PGP in Windows (in my
opinion).
Though it's not open source, "GPGshell" is a great GUI front end for
GnuPG in Windows, and just like PGPtray, PGPkeys, etc., can be used
with any email client or text editor, and also includes shell support.
Over the years, I've kept an eye on WinPT as well, and while this one
is open source, I've just never been as satisfied with it as I've been
with GPGshell, which I feel has always been both more polished and
more stable than WinPT.
Windows users of GnuPG interested in a GUI front end for GnuPG can
find GPGshell or WinPT here:
GPGshell: http://www.jumaros.de/rsoft/index.html
WinPT: http://winpt.sourceforge.net/en/
--
Melissa
PGP public keys:
mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : /pipermail/attachments/20050225/3431a3f8/attachment.pgp
From dhcalva at comcast.net Fri Feb 25 21:10:02 2005
From: dhcalva at comcast.net (David Calvarese)
Date: Fri Feb 25 21:06:55 2005
Subject: GPG for windows
In-Reply-To: <562501.20050225110139@calarts.edu>
References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net>
<562501.20050225110139@calarts.edu>
Message-ID: <421F861A.7070405@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Melissa Reese wrote:
> Hi John,
>
> On Friday, February 25, 2005, at 9:34:33 AM PST, you wrote:
>
>> Another client that I've heard supports GnuPG is The Bat.
>
> Indeed it does. Full integration with either GnuPG or PGP, including
> PGP/MIME with both. The integrated support for both is built in, so
> there's no need for third party plug-ins.
One Caveat, The Bat! has a few quirks and things that need fixed with
it's GnuPG support that work right when using PGP. They're bad enough
that I'm now using Thunderbird with Enigmail for email.
- --
Dave Calvarese
PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCH4YYSlxKVhydU2ARA0M6AJ9CrOj7VPXEYLhYPQA8N1rjDAuejwCggU4b
wVSPEcrqBEIqj2LDmCuwlHA=
=NCbt
-----END PGP SIGNATURE-----
From ml at bitfalle.org Fri Feb 25 21:57:26 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 25 21:54:27 2005
Subject: GPG for windows
In-Reply-To: <421F861A.7070405@comcast.net>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu>
<421F861A.7070405@comcast.net>
Message-ID: <20050225205726.GA6482@dantooine>
David Calvarese wrote:
> > Indeed it does. Full integration with either GnuPG or PGP, including
> > PGP/MIME with both. The integrated support for both is built in, so
> > there's no need for third party plug-ins.
>
> One Caveat, The Bat! has a few quirks and things that need fixed with
> it's GnuPG support that work right when using PGP. They're bad enough
> that I'm now using Thunderbird with Enigmail for email.
well, tried out the bat! first, then enigmail... now I'm using
mutt... guess why :-)
now if only Opera would support GnuPG... *sigh*
--
Bastard Administrator in $hell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050225/96f38ac0/attachment-0001.pgp
From mreese at calarts.edu Fri Feb 25 22:13:11 2005
From: mreese at calarts.edu (Melissa Reese)
Date: Fri Feb 25 22:09:44 2005
Subject: GPG for windows
In-Reply-To: <20050225205726.GA6482@dantooine>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu>
<421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine>
Message-ID: <1184388110.20050225131311@calarts.edu>
Hi Markus,
On Friday, February 25, 2005, at 12:57:26 PM PST, you wrote:
> well, tried out the bat! first, then enigmail... now I'm using
> mutt... guess why :-)
Well, I've tried Mutt (in Linux), along with all sorts of other email
clients in both Windows and Linux, and I've come to the conclusion
that I'll use a particular email client first and foremost *because of
how it can handle email*, then I'll decide the best way to use GnuPG
and/or PGP with it.
Since GnuPG can be dealt with via command line and/or third party GUI
front ends in Windows, and like PGP, can be used with any email
client/text editor regardless of integration/plug-in status, I'd much
rather stick with an email client I feel is the best for my *email
management*, and use GnuPG or PGP with it in whichever way works best
after that. Seamless email client integration with GnuPG or PGP, or
the lack thereof, is not enough of a reason for me to switch to a
different email client. :-)
--
Melissa
PGP public keys:
mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : /pipermail/attachments/20050225/c9f65921/attachment.pgp
From dhcalva at comcast.net Fri Feb 25 22:08:15 2005
From: dhcalva at comcast.net (David Calvarese)
Date: Fri Feb 25 22:41:50 2005
Subject: GPG for windows
In-Reply-To: <20050225205726.GA6482@dantooine>
References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net>
<562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net>
<20050225205726.GA6482@dantooine>
Message-ID: <421F93BF.4050508@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
markus reichelt wrote:
> David Calvarese wrote:
> well, tried out the bat! first, then enigmail... now I'm using
> mutt... guess why :-)
Ahhh! I remember Mutt fondly from when I used Linux all the time.
As I have an IMAP server, Mutt doesn't really do it for me. What
didn't you like about TBird with Enigmail?
> now if only Opera would support GnuPG... *sigh*
That'd be a nice thing. :)
I accidently sent this to Markus on his email account... Anyone know
how to get TBird to send mail to the group when I click reply? This
seems to be the only mailing list I have a problem with.
- --
Dave Calvarese
PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCH5O6SlxKVhydU2ARA4T8AJ41vZPf1elvspBypKozt82WpCPlyQCff0um
vsCPCtIRhb+d1IDyDEwwWZc=
=SoLX
-----END PGP SIGNATURE-----
From ml at bitfalle.org Fri Feb 25 22:46:28 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 25 22:43:10 2005
Subject: GPG for windows
In-Reply-To: <1184388110.20050225131311@calarts.edu>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu>
<421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine>
<1184388110.20050225131311@calarts.edu>
Message-ID: <20050225214627.GA7557@dantooine>
Melissa Reese wrote:
> Well, I've tried Mutt (in Linux), along with all sorts of other email
> clients in both Windows and Linux, and I've come to the conclusion
> that I'll use a particular email client first and foremost *because of
> how it can handle email*, then I'll decide the best way to use GnuPG
> and/or PGP with it.
same here, only that I include GnuPG handling as obligatory and not
negotiable. Additionally I'm really fond of plain ascii-configs, it's
a kind of fetish - I'm sure of that after years of testing ;-)
So, while we are discussing email clients (not) able of handling
GnuPG correctly/at all, the most complete listing I've found is at
http://www.bretschneidernet.de/tips/secmua.html.en
--
Bastard Administrator in $hell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050225/fd96f274/attachment.pgp
From ml at bitfalle.org Fri Feb 25 23:07:35 2005
From: ml at bitfalle.org (markus reichelt)
Date: Fri Feb 25 23:04:22 2005
Subject: GPG for windows
In-Reply-To: <421F93BF.4050508@comcast.net>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu>
<421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine>
<421F93BF.4050508@comcast.net>
Message-ID: <20050225220735.GA7828@dantooine>
David Calvarese wrote:
> Ahhh! I remember Mutt fondly from when I used Linux all the time.
> As I have an IMAP server, Mutt doesn't really do it for me. What
> didn't you like about TBird with Enigmail?
I prefer an email client on the console, in a screen session to be
precise. On my servers I have seldom a GUI available.
> > now if only Opera would support GnuPG... *sigh*
>
> That'd be a nice thing. :)
Yeah, I could exchange encrypted emails with the rest of the family :)
Somehow they stick to Opera and can't be bothered with TB
> I accidently sent this to Markus on his email account... Anyone know
> how to get TBird to send mail to the group when I click reply? This
> seems to be the only mailing list I have a problem with.
recently, Jason Barnett posted on this list:
"T-bird does indeed allow you to reply to newsgroups. Just change
the To: header from the dropdown box."
Does it work for you?
--
Bastard Administrator in $hell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050225/cf8f14e5/attachment.pgp
From j.breier at gmx.de Sat Feb 26 00:26:06 2005
From: j.breier at gmx.de (Jakob)
Date: Sat Feb 26 00:14:09 2005
Subject: Which key type for offline signing key + how to get a trusted
copy of gpg signing key
In-Reply-To: <873bvm73bm.fsf@wheatstone.g10code.de>
References: <421D0308.9050701@gmx.de> <873bvm73bm.fsf@wheatstone.g10code.de>
Message-ID: <421FB40E.8090005@gmx.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Werner Koch wrote:
> On Wed, 23 Feb 2005 23:26:16 +0100, Jakob said:
>
>>[I want to create a key only used for key signing (on an offline
>> system]
>> with Knoppix). As I recently read that 1024bit DSA-keys are quite
>> small for long time security (let's say 10 years) I wondered whether I
>> should use a 4048bit RSA-key instead. Is there any reason not to do so?
>
>
> Nowadays it seems that the hash algorithms are the major weakness
> digital signatures; so a longer KEy does gain you anything excpept for
> preety long and slow signatures. You might want to use a 2k RSA key
> so that you can use SHA-256. However, the only MUST algorithm for
> signing in
> OpenPGP is DSA and SHA-1 so by using RSA not everyone will be able to
> make use of your key sigtnatures.
>
Just to be sure: PGP-*keys* are hashed before they are signed? I thought
they are signed in the same way as checksums are so that this key does
not sign any checksums at all.
>> verified copy of the GPG signing key (57548DCD). How did you verify
>
>
> Signed by me and my key is pretty well connected in the web of trust -
> go and check the signatures on my key. See Mail header for the
> canonical source of my key in case your keyserver is old and dusted.
>
>
> Shalom-Salam,
>
> Werner
Sorry for the latency. An hour ago I realised that the reply function
didn't work properly.
Jakob.
__________
2005-02-26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFCH7PLkQFTRHuGzGgRAluxAJ4nmBhEafQH7g2vnVNb/zAqf1yyOQCgywOC
wK5Ecepq0RYty2v1XgKWj64=
=k9Lx
-----END PGP SIGNATURE-----
From dhcalva at comcast.net Sat Feb 26 00:26:36 2005
From: dhcalva at comcast.net (David Calvarese)
Date: Sat Feb 26 00:23:04 2005
Subject: GPG for windows
In-Reply-To: <20050225220735.GA7828@dantooine>
References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net>
<562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net>
<20050225205726.GA6482@dantooine> <421F93BF.4050508@comcast.net>
<20050225220735.GA7828@dantooine>
Message-ID: <421FB42C.7070205@comcast.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
markus reichelt wrote:
>> I accidently sent this to Markus on his email account... Anyone know
>> how to get TBird to send mail to the group when I click reply? This
>> seems to be the only mailing list I have a problem with.
>
> recently, Jason Barnett posted on this list:
>
> "T-bird does indeed allow you to reply to newsgroups. Just change
> the To: header from the dropdown box."
>
> Does it work for you?
Wrong kind of group. Don't have any problems with newsgroups, it's
replying to this list that's a problem. When I click reply, it
addresses it to you and not to the mailing list. All the other mailing
lists I'm on don't have this problem. It looks as if Tbird isn't
honoring the Mail-Followup-To header.
- --
Dave Calvarese
PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCH7QpSlxKVhydU2ARA4WzAJ9xKe9TtLjg9n1nv1jTwezBlYtOjwCfdM8x
vClqaeK1XGfD/guQKBLkGXw=
=X3QW
-----END PGP SIGNATURE-----
From finalcut at videotron.ca Sat Feb 26 01:51:09 2005
From: finalcut at videotron.ca (The Final Cut)
Date: Sat Feb 26 01:47:32 2005
Subject: Checking signature on thebat email client
In-Reply-To: <200502251816.40360.linux@codehelp.co.uk>
References: <1459044394.20050225124001@videotron.ca>
<200502251816.40360.linux@codehelp.co.uk>
Message-ID: <516485231.20050225195109@videotron.ca>
Hello gnupg-users@gnupg.org
On Friday, February 25, 2005, at 1:16:39 PM
You wrote:
NW> Put this in your .gnupg/gpg.conf
NW> keyserver hkp://subkeys.pgp.net
NW> keyserver-options auto-key-retrieve
where is located this file withing xp?
I have looked in applications data\gnupg where is all the gpg files and its not there
>> When I clic the check icon, a popup accur saying can't verify. Is it
>> possible to make it look on key websites?
NW> You meant keyservers.
NW> You also need to send your public key to a keyserver:
>> gpgkeys: key 99974E02C566534E not found on keyserver
NW> $ gpg --keyserver subkeys.pgp.net --send-key 0xC566534E
thanks
--
The Final Cut
finalcut@videotron.ca
Thebat: 3.0.2.10
From mwlucas at blackhelicopters.org Sun Feb 27 00:27:42 2005
From: mwlucas at blackhelicopters.org (Michael W. Lucas)
Date: Sun Feb 27 00:23:54 2005
Subject: GnuPG book prepub reviewers wanted
Message-ID: <20050226232742.GB75147@bewilderbeast.blackhelicopters.org>
Hello,
I'm in the midst of writing a very small book about GnuPG, called "GPG
for the Desperate." It's modeled after my earlier "Cisco Routers for
the Desperate."
This book will cover the lowest common denominator of GnuPG usage for
the computer-literate user.
I've hit that point where it would be helpful to have outsiders take a
look at what's been finished of the book, and at later chapters as I
finish them.
If you're interested, please take a look at
http://www.blackhelicopters.org/~mwlucas/reviewers.html for a brief
description of what's involved. If you're still interested, please
reply directly to me -- no need to clutter the list with this stuff.
Thanks,
==ml
--
Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/
Latest book: Cisco Routers for the Desperate
http://www.CiscoRoutersForTheDesperate.com
From vedaal at hush.com Sun Feb 27 05:10:09 2005
From: vedaal at hush.com (vedaal@hush.com)
Date: Sun Feb 27 05:06:21 2005
Subject: GPG for windows
Message-ID: <200502270410.j1R4ACGW065399@mailserver2.hushmail.com>
>Message: 7
>Date: Fri, 25 Feb 2005 11:01:39 -0800
>From: Melissa Reese
>Subject: Re: GPG for windows
>To: gnupg-users@gnupg.org
>Message-ID: <562501.20050225110139@calarts.edu>
>Content-Type: text/plain; charset="us-ascii"
[...]
>Over the years, I've kept an eye on WinPT as well, and while this
>one
>is open source, I've just never been as satisfied with it as I've
>been
>with GPGshell,
[...]
>WinPT: http://winpt.sourceforge.net/en/
the most recent winpt's have not been there for some time now,
they are on Timo's site here:
http://www.stud.uni-hannover.de/~twoaday/winpt.html
while i agree with you that gpgshell has a 'smooth' PGP feel to it,
if the last time you checked winpt was from the sourceforge site,
you might consider looking at it again from the other link
new advantages:
(1) complete installer package, so that gnupg new users don't need
to play with registry settings
[caveat: this makes it harder to install gpgshell afterwards, as
there are some windows path details that gpgshell is fussy about,
if you already have gpgshell installed, just install winpt without
the gnupg installer]
(2) ability to see all keys and keyid's that the message is
encrypted to, directly from the decryption window
[gpgshell either just gives a passphrase entry window if you want
to see the passphrase as you are typing it, but doesn't tell you
which 'keyid' or even which key it is for,
or it gives you the gnupg command line interface to enter the
passphrase],
also, winpt does not require the passphrase to be cached, in order
to let you see the passphrase as you are typing it in,
and allows this for 'all' gnupg functions;
key generation passwords, key editing password changing, signing a
key, etc.
(3) ability to choose between the primary signing key, and the
signing subkey
[gpgshell uses the gnupg default of using the latest signing subkey
for signing, regardless of clicking on the 'primary' signing key]
(4) the key editing functions are all selectable in the key editing
window,
[gpgshell key editing just transfers you to the gnupg command line
key editing interface]
(5) winpt provides 'wiping' to the same standards as eraser
(DoD or Gutmann settings)
smart card and encrypted disc containers (similar to pgpdisk and
scramdisc) will be added in future versions
i would suggest trying 'both' gpgshell and winpt
and let users decide which they are happier with,
they can always keep 'both' and switch back and forth for whatever
they find more convenient
vedaal
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
From lporter at hdsmith.com Sun Feb 27 05:03:55 2005
From: lporter at hdsmith.com (lporter@hdsmith.com)
Date: Sun Feb 27 05:08:44 2005
Subject: Auto Reply to your message ...
Message-ID: <420AC99A00011215@HDSPRIME.hdsmith.com>
----- The following text is an automated response to your message -----
I am on vacation from February 28 through March 4, returing Monday March 7th.
If it is an EDI emergency or HD Smith techinal support emergency,
please email helpdesk@hdsmith.com.
I will try to check my email periodically.
From og at pre-secure.de Sun Feb 27 10:21:17 2005
From: og at pre-secure.de (Olaf Gellert)
Date: Sun Feb 27 10:22:00 2005
Subject: GPG scdaemon help
Message-ID: <4221910D.7030201@pre-secure.de>
Hi all,
just a request for a few short hints: I have some
USB-tokens (eg. Aladdin eToken Pro, Safenet iKey3000)
which seem to work with OpenSC. Is there any FAQ
or tutorial or helpful information on how to make
this work with the smartcard daemon of GPG?
Cheers,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
From jharris at widomaker.com Mon Feb 28 00:06:23 2005
From: jharris at widomaker.com (Jason Harris)
Date: Mon Feb 28 00:02:36 2005
Subject: useless test keys and keyservers
Message-ID: <20050227230623.GA5390@wilma.widomaker.com>
People, please don't upload useless test keys like the one shown below
to keyservers. Clearly, this tester didn't even bother to search for
information on this subject before sending this key to keyserver.linux.it
(an SKS server).
Also, please refrain from creating test keys to check their propagation
through the synchronizing keyservers. If a key is missing from any
particular keyserver which is otherwise well-synchronized, one cannot
determine the cause without reviewing one more more log files on one
or more keyservers.
Thank you.
pub 1024D/A7B58AD1 2005-02-27 TestKey3576 (multisubkey test)
Key fingerprint = 5187 8E72 3EF1 D072 E4B7 06D3 FF23 DE7D A7B5 8AD1
New! attempt to lookup keyholder on biglumber.com.
sig 0x13 A7B58AD1 2005-02-27 [pkey expires 2005-03-02] [selfsig]
sub 1024g/18935DD5 2005-02-27 [subkey]
Key fingerprint = 6A33 C42A 4D99 ECE1 5E94 44E8 588D CFA0 1893 5DD5
sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 19 66]
sub 1024D/D0B614E8 2005-02-27 [subkey]
Key fingerprint = 89F1 2C9D DA78 5B50 1B47 2B92 2793 F402 D0B6 14E8
sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 64 27]
sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 19 66]
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050227/bfbe7f71/attachment.pgp
From minnesotan at runbox.com Mon Feb 28 05:18:02 2005
From: minnesotan at runbox.com (Randy Burns)
Date: Mon Feb 28 06:14:41 2005
Subject: useless test keys and keyservers
Message-ID: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello Jason,
I wish all pgp keys could automatically be purged from keyservers
on the anniversary of their creation. Then, key owners would know
that obsolete keys will eventually disappear, and know when their
actively searched-for keys (fresh keys as well as freshly-revoked
keys) need to be uploaded again--always just after the
anniversary of their creation. That way, key uploads get spread
throughout the whole year. Wouldn't that be a good thing?
Randy
Sunday, February 27, 2005, 5:06:23 PM, you wrote:
> People, please don't upload useless test keys like the one
> shown below to keyservers. Clearly, this tester didn't even
> bother to search for information on this subject before sending
> this key to keyserver.linux.it (an SKS server).
> Also, please refrain from creating test keys to check their
> propagation through the synchronizing keyservers. If a key is
> missing from any particular keyserver which is otherwise
> well-synchronized, one cannot determine the cause without
> reviewing one more more log files on one or more keyservers.
> Thank you.
> pub 1024D/A7B58AD1 2005-02-27 TestKey3576 (multisubkey test)
> Key fingerprint = 5187 8E72
> 3EF1 D072 E4B7 06D3 FF23 DE7D A7B5 8AD1 New! attempt to
> lookup keyholder on biglumber.com. sig 0x13 A7B58AD1
> 2005-02-27 [pkey expires 2005-03-02] [selfsig] sub
> 1024g/18935DD5 2005-02-27 [subkey] Key fingerprint = 6A33
> C42A 4D99 ECE1 5E94 44E8 588D CFA0 1893 5DD5 sig 0x18
> A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash:
> type 2, 19 66] sub 1024D/D0B614E8 2005-02-27 [subkey] Key
> fingerprint = 89F1 2C9D DA78 5B50 1B47 2B92 2793 F402 D0B6
> 14E8 sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02]
> [keybind, hash: type 2, 64 27] sig 0x18 A7B58AD1 2005-02-27
> [skey expires 2005-03-02] [keybind, hash: type 2, 19 66]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGshell v3.32
Comment: Public Keys: www.geocities.com/burns98/pgp
iD8DBQFCIpqlO1wFkBRYxW8RA2KPAJ9tf1XasFGV7cqCImYwvVkkWbZrJgCgz86O
/wW90N5NDRSozt0sveJ7O1U=
=DwWg
-----END PGP SIGNATURE-----
From twoaday at gmx.net Mon Feb 28 10:37:09 2005
From: twoaday at gmx.net (Timo Schulz)
Date: Mon Feb 28 11:44:40 2005
Subject: GPG for windows
In-Reply-To: <562501.20050225110139@calarts.edu>
References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net>
<562501.20050225110139@calarts.edu>
Message-ID: <4222E645.3030306@gmx.net>
Melissa Reese wrote:
> WinPT: http://winpt.sourceforge.net/en/
The _new_ primary WinPT site is now http://www.winpt.org.
(It is not redirected any longer to the SF.net website!)
Timo
From shatadal at vfemail.net Mon Feb 28 11:37:45 2005
From: shatadal at vfemail.net (Shatadal)
Date: Mon Feb 28 12:34:52 2005
Subject: GnuPG and registry keys
Message-ID: <4222F479.8080103@vfemail.net>
I got interested in this issue when I was trying out the
PortableThunderbird-Enigmail project
(http://dev.weavervsworld.com/projects/ptbirdeniggpg/). When I started
it up I got the following message
"PortableThunderbird has detected the GNUPG key in HKEY_LOCAL_MACHINE
PortableThunderbird writes values to the GNUPG key in HKEY_CURRENT_USER,
this allows non-admin users to use Portable Thunderbird with Enigmail/GPG.
Having the GNUPG key in both HKLM and HKCU may cause undesired behaviour.
Delete HKLM\Software\GNU\GNUPG and continue?"
When I checked my registry I saw that I do have both the keys. Could
this cause any problems in using GnuPG? I use GnuPG from a
non-administrator account.
Thanks,
Shatadal.
From mwood at IUPUI.Edu Mon Feb 28 15:09:00 2005
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Mon Feb 28 15:51:11 2005
Subject: GnuPG and registry keys
In-Reply-To: <4222F479.8080103@vfemail.net>
References: <4222F479.8080103@vfemail.net>
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 28 Feb 2005, Shatadal wrote:
[snip]
> "PortableThunderbird has detected the GNUPG key in HKEY_LOCAL_MACHINE
> PortableThunderbird writes values to the GNUPG key in HKEY_CURRENT_USER,
> this allows non-admin users to use Portable Thunderbird with Enigmail/GPG.
> Having the GNUPG key in both HKLM and HKCU may cause undesired behaviour.
If PortableThunderbird behaves undesirably in such circumstances, it is
improperly designed. Tell them to read the Logo Requirements again. User
settings go in HKCU, and systemwide settings go in HKLM, and if some
software is confused by the presence of both then it must be rewritten to
correctly implement this distinction, at which time the confusion will
vanish.
> Delete HKLM\Software\GNU\GNUPG and continue?"
This is definitely bad behavior. Every "designed for Windows xxx" product
creates such a key for itself. Only that product's uninstaller should
remove such keys.
- --
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Open-source executable: $0.00. Source: $0.00 Control: priceless!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQFCIyYAs/NR4JuTKG8RAnnbAJ96jpE1vw2icRN9zb6Tx5fi7OEs8gCeLuq3
Pzdw81PJMywO/PoW9GdZ2RA=
=2vm1
-----END PGP SIGNATURE-----
From dhcalva at fastmail.us Mon Feb 28 15:33:06 2005
From: dhcalva at fastmail.us (David Calvarese)
Date: Mon Feb 28 16:27:52 2005
Subject: useless test keys and keyservers
In-Reply-To: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
References: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
Message-ID: <42232BA2.9030902@fastmail.us>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Randy Burns wrote:
> Hello Jason,
>
> I wish all pgp keys could automatically be purged from keyservers
> on the anniversary of their creation. Then, key owners would know
> that obsolete keys will eventually disappear, and know when their
> actively searched-for keys (fresh keys as well as freshly-revoked
> keys) need to be uploaded again--always just after the
> anniversary of their creation. That way, key uploads get spread
> throughout the whole year. Wouldn't that be a good thing?
How about just purging a Key that's had no activity in X amount of time,
say Six months?
On a side note, does anyone know of any way to get Thunderbird (And
presumably other email clients as well) to reply to the list address
instead of the person writing the email for this list? This seems to be
the only one I'm having a problem with.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
- --
Dave Calvarese
Member of E-mailaholics International
PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCIyuhSlxKVhydU2ARA4TUAJ4ocLTjNLYdbAwB8n0XXX3OHViMjgCffmSx
6WDenhCAQef7Pf2g/uls5eM=
=iPfE
-----END PGP SIGNATURE-----
From minnesotan at runbox.com Mon Feb 28 17:53:01 2005
From: minnesotan at runbox.com (Randy Burns)
Date: Mon Feb 28 17:49:43 2005
Subject: useless test keys and keyservers
In-Reply-To: <200502280747.27681.linux@codehelp.co.uk>
Message-ID: <20050228165302.11208.qmail@web50903.mail.yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
via private email:
On Monday 28 February 2005 4:18 am, Randy Burns wrote:
>> I wish all pgp keys could automatically be purged from keyservers
>> on the anniversary of their creation.
> But then many, many keys would be unavailable at any one time.
> With only 365 days a year and so many tens of thousands of
> keys, that's a lot of keys every single day.
Could some keys be flagged, to not to be deleted ever? Keep a
list of such keys for your keyserver (that would propagate with
synchronization)? Why not?
Examples:
0x614239DC 9/7/2000 [expired: 1/1/2001)] PGP Security Software
Release Key 2000
0xB0C6598E 1/2/2001 [expired: 1/1/2002)] PGP Security Software
Release Key 2001
I think so.
Or, maybe, have two kinds of keyservers--expiring database
keyservers and non-expiring database keyservers?
PGP Global Directory could be that, except that they limit keys
to one key per email address.
> The point with a keyserver is that the key is always available
> and always up to date. It's especially important that revoked
> and expired keys are continuously available - when someone
> queries for a key that has been revoked, it is imperative that
> the keyserver always gives a definitive answer. "Sorry, I'm
> waiting for that one to be sent back but last time I saw it, it
> was revoked" is not good enough.
> An attacker would know the anniversary date and could put up an
> attacked key in it's place - in the lagtime before the real
> owner connects to the internet, the wrong key is in use. After
> all, the attacker has the key before it is revoked and is
> unlikely to knowingly refresh the key to import the revocation
> certificate so his copy will be unrevoked - he can just as
> easily put that onto the keyserver as the real owner.
Isn't that something to be aware of in any case?
> Your purge could result in many attacked (and currently
> revoked) keys suddenly becoming usable again - the real owner
> may not keep a copy of their revoked key if they don't have
> much data that was encrypted to that key before the attack. The
> attacker certainly does have an unrevoked copy, public and
> secret.
I think it's the responsibility of the person who revoked it to
to keep the revocations out there. Once nobody has searched for a
key in five years, however, why have it in the database, revoked
or not?
> Then you've got the whole keyserver synchronisation to consider
> - by your reasoning, the key would disappear completely from
> every keyserver at the same time! If you change the date of
> removal so that each keyserver purges at a different time, the
> key will be refreshed from another keyserver at next sync,
> rather than from the user so you lose the entire point of your
> proposal.
>> Then, key owners would know that obsolete keys will
>> eventually disappear, and know when their actively
>> searched-for keys (fresh keys as well as freshly-revoked keys)
>> need to be uploaded again--always just after the anniversary
>> of their creation. That way, key uploads get spread throughout
>> the whole year.
> But many keys don't change year to year - there's nothing wrong
> with that. Just because a key doesn't change, there's no reason
> to think it's out of use.
>> Wouldn't that be a good thing?
> No, it would be a very BAD thing - it's part of the controversy
> over PGP GD.
> If you want to use a keyserver that implements that kind of
> policy, fine, just be very careful to use a full-size keyserver
> to refresh your keys in case someone revoked their key
> coincidentally just before the arbitrary creation anniversary
> date.
Fine. I'm not opposed to having both types of keyserver. Also,
since anybody can upload the keys. If your key is signed by
twenty keys, then you could keep those keys in circulation along
with your own if you notice that too many of the signatures on
your key are listed as "unknown."
Just an idea. But, if PGP ever gains wide use--to the point where
200 million internet users know what it is and how to use
it--then something will need to be done to prune back all the
dead keys, I would think.
Best,
Randy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGshell v3.32
Comment: Public Keys: www.geocities.com/burns98/pgp
iD8DBQFCI0szO1wFkBRYxW8RA60IAJ0XQ+sMSUpRtO3uj/g+PuBoe5ziLgCfVoJJ
1sd13DArml29lMXtZj23eqo=
=qZ6M
-----END PGP SIGNATURE-----
From lporter at hdsmith.com Mon Feb 28 17:47:40 2005
From: lporter at hdsmith.com (lporter@hdsmith.com)
Date: Mon Feb 28 17:52:29 2005
Subject: Auto Reply to your message ...
Message-ID: <420AC99A00011D0C@HDSPRIME.hdsmith.com>
----- The following text is an automated response to your message -----
I am on vacation from February 28 through March 4, returing Monday March 7th.
If it is an EDI emergency or HD Smith techinal support emergency,
please email helpdesk@hdsmith.com.
I will try to check my email periodically.
From linux at codehelp.co.uk Mon Feb 28 18:16:31 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Mon Feb 28 18:13:05 2005
Subject: useless test keys and keyservers
In-Reply-To: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
References: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
Message-ID: <200502281716.36315.linux@codehelp.co.uk>
On Monday 28 February 2005 4:18 am, Randy Burns wrote:
> I wish all pgp keys could automatically be purged from keyservers
> on the anniversary of their creation.
Sorry, I didn't check the reply address - this was meant for the list.
But then many, many keys would be unavailable at any one time. With only 365
days a year and so many tens of thousands of keys, that's a lot of keys every
single day.
The point with a keyserver is that the key is always available and always up
to date. It's especially important that revoked and expired keys are
continuously available - when someone queries for a key that has been
revoked, it is imperative that the keyserver always gives a definitive
answer. "Sorry, I'm waiting for that one to be sent back but last time I saw
it, it was revoked" is not good enough.
An attacker would know the anniversary date and could put up an attacked key
in it's place - in the lagtime before the real owner connects to the
internet, the wrong key is in use. After all, the attacker has the key before
it is revoked and is unlikely to knowingly refresh the key to import the
revocation certificate so his copy will be unrevoked - he can just as easily
put that onto the keyserver as the real owner.
Your purge could result in many attacked (and currently revoked) keys suddenly
becoming usable again - the real owner may not keep a copy of their revoked
key if they don't have much data that was encrypted to that key before the
attack. The attacker certainly does have an unrevoked copy, public and
secret.
Then you've got the whole keyserver synchronisation to consider - by your
reasoning, the key would disappear completely from every keyserver at the
same time! If you change the date of removal so that each keyserver purges at
a different time, the key will be refreshed from another keyserver at next
sync, rather than from the user so you lose the entire point of your
proposal.
> Then, key owners would know
> that obsolete keys will eventually disappear, and know when their
> actively searched-for keys (fresh keys as well as freshly-revoked
> keys) need to be uploaded again--always just after the
> anniversary of their creation. That way, key uploads get spread
> throughout the whole year.
But many keys don't change year to year - there's nothing wrong with that.
Just because a key doesn't change, there's no reason to think it's out of
use.
> Wouldn't that be a good thing?
>
No, it would be a very BAD thing - it's part of the controversy over PGP GD.
If you want to use a keyserver that implements that kind of policy, fine, just
be very careful to use a full-size keyserver to refresh your keys in case
someone revoked their key coincidentally just before the arbitrary creation
anniversary date.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050228/50717c07/attachment.pgp
From linux at codehelp.co.uk Mon Feb 28 18:30:17 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Mon Feb 28 18:26:50 2005
Subject: useless test keys and keyservers
In-Reply-To: <20050228165302.11208.qmail@web50903.mail.yahoo.com>
References: <20050228165302.11208.qmail@web50903.mail.yahoo.com>
Message-ID: <200502281730.21417.linux@codehelp.co.uk>
On Monday 28 February 2005 4:53 pm, Randy Burns wrote:
> Could some keys be flagged, to not to be deleted ever? Keep a
> list of such keys for your keyserver (that would propagate with
> synchronization)? Why not?
Which? Who decides?
> Examples:
>
> 0x614239DC 9/7/2000 [expired: 1/1/2001)] PGP Security Software
> Release Key 2000
>
> 0xB0C6598E 1/2/2001 [expired: 1/1/2002)] PGP Security Software
> Release Key 2001
>
> I think so.
But signatures made by those keys will still be around in 5 years time and
people will want to know who the signatory was.
All keys need to be kept - you can't tell if a key is out of use simply by
waiting for the owner to respond. If the key owner has lost the passphrase or
simply moved email account, the key is orphaned but there is no easy way of
detecting these.
> Or, maybe, have two kinds of keyservers--expiring database
> keyservers and non-expiring database keyservers?
As I said, if you do this, the expiring keyserver is prevented from every
synchronising with the non-expiring and that means everyone using the
expiring keyserver has to check the non-expiring one anyway.
> > An attacker would know the anniversary date and could put up an
> > attacked key in it's place - in the lagtime before the real
> > owner connects to the internet, the wrong key is in use. After
> > all, the attacker has the key before it is revoked and is
> > unlikely to knowingly refresh the key to import the revocation
> > certificate so his copy will be unrevoked - he can just as
> > easily put that onto the keyserver as the real owner.
>
> Isn't that something to be aware of in any case?
No, because if the key is never deleted from the keyserver, uploading an
unrevoked version doesn't UNDO the revocation. A revoked key stays revoked.
> > Your purge could result in many attacked (and currently
> > revoked) keys suddenly becoming usable again - the real owner
> > may not keep a copy of their revoked key if they don't have
> > much data that was encrypted to that key before the attack. The
> > attacker certainly does have an unrevoked copy, public and
> > secret.
>
> I think it's the responsibility of the person who revoked it to
> to keep the revocations out there.
And how are they meant to do that if the keyserver deletes it?
> Once nobody has searched for a
> key in five years, however, why have it in the database, revoked
> or not?
That requires massive logs of which keys have been searched and then you
include all those that search for "Joe Bloggs" or "0xDEADBEEF" - they get
lots of hits, but do all of those count?
> Fine. I'm not opposed to having both types of keyserver.
I don't want any keyserver to delete anything - even if the owner doesn't want
it around there are others who might, particularly if the key has made any
kind of public signature.
Useless test keys are a problem, agreed, but creating an automated filter that
can tell the difference is v.hard.
If keys start disappearing from keyservers when they are still in use, we'll
all end up having to use keys on personal websites and the whole thing
becomes even more burdensome.
> Also,
> since anybody can upload the keys. If your key is signed by
> twenty keys, then you could keep those keys in circulation along
> with your own if you notice that too many of the signatures on
> your key are listed as "unknown."
?? What is the point of that?? People sign my key without any prompting and
without any verification already. (Note to anyone reading this: Please do NOT
sign my key until we meet face to face.)
> Just an idea. But, if PGP ever gains wide use--to the point where
> 200 million internet users know what it is and how to use
> it--then something will need to be done to prune back all the
> dead keys, I would think.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050228/f2763c45/attachment.pgp
From henkdebruijn at wanadoo.nl Mon Feb 28 18:58:25 2005
From: henkdebruijn at wanadoo.nl (Henk de Bruijn)
Date: Mon Feb 28 18:54:49 2005
Subject: GPG for windows
In-Reply-To: <4222E645.3030306@gmx.net>
References: <1109325968.4002.24.camel@localhost.localdomain>
<421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu>
<4222E645.3030306@gmx.net>
Message-ID: <1946253126.20050228185825@wanadoo.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 28 Feb 2005 10:37:09 +0100GMT (28-2-2005, 10:37 +0100, where I
live), Timo Schulz wrote:
> Melissa Reese wrote:
>> WinPT: http://winpt.sourceforge.net/en/
> The _new_ primary WinPT site is now http://www.winpt.org.
> (It is not redirected any longer to the SF.net website!)
I am using GnuPG 1.4.1rc2 with GPGshell 3.32
Is it possible to use/try WinPT next to them? What/which version
should I download?
- --
Henk
______________________________________________________________________
The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2
PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678
Gossamer Spider Web of Trust GSWoT http://www.gswot.org/
A Progressive and Innovative Web of Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956
iD8DBQFCI1vVEgabk9vm5ngRAuu7AJ0aODBNeShA/bvfrGpUmAW5L1s+fQCg5uza
CxrkJuuhwVuDbUPy6ObI0ls=
=4vWb
-----END PGP SIGNATURE-----
From mreese at calarts.edu Mon Feb 28 19:19:00 2005
From: mreese at calarts.edu (Melissa Reese)
Date: Mon Feb 28 19:15:51 2005
Subject: useless test keys and keyservers
In-Reply-To: <42232BA2.9030902@fastmail.us>
References: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
<42232BA2.9030902@fastmail.us>
Message-ID: <1729174158.20050228101900@calarts.edu>
Hi David,
On Monday, February 28, 2005, at 6:33:06 AM PST, you wrote:
> How about just purging a Key that's had no activity in X amount of
> time, say Six months?
I think Neil made some interesting points about the automatic purging
option, but I am very interested in a couple things the new PGP Global
Directory beta makes possible, which allows a key owner to not only
remove their own keys from the keyserver, but also to decide whether
or not their keys are uploaded to the keyserver in the first place.
These are two things I've been wanting to see for a long time, and
wouldn't mind if all the keyservers adopted these options.
> On a side note, does anyone know of any way to get Thunderbird (And
> presumably other email clients as well) to reply to the list address
> instead of the person writing the email for this list? This seems to
> be the only one I'm having a problem with.
I'll have to look into the possibilities of Thunderbird some more, but
in my default email client, "The Bat!", I can accomplish this in a few
different ways; by using macros in a reply template based on the
folder (any reply message generated when replying to a message from my
"gnupg users Inbox" folder), address book entry template, or "quick
template" (which can be invoked manually). I've also created a "quick
template" that I can invoke manually if I want to reply off-list to
the original sender of a message instead of to the list.
Many lists will generate their own "reply to" header, in which case I
wouldn't need to do what I've described above, but for this list and a
couple others, I need to use template macros to get reply messages
like this to automatically put the list address in the "To" field of
reply messages.
--
Melissa
PGP public keys:
mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : /pipermail/attachments/20050228/ea13b913/attachment.pgp
From linux at codehelp.co.uk Mon Feb 28 19:49:07 2005
From: linux at codehelp.co.uk (Neil Williams)
Date: Mon Feb 28 19:45:39 2005
Subject: useless test keys and keyservers
In-Reply-To: <1729174158.20050228101900@calarts.edu>
References: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
<42232BA2.9030902@fastmail.us>
<1729174158.20050228101900@calarts.edu>
Message-ID: <200502281849.12565.linux@codehelp.co.uk>
On Monday 28 February 2005 6:19 pm, Melissa Reese wrote:
> I think Neil made some interesting points about the automatic purging
> option,
Melissa, could you put your key on a keyserver somewhere?
:-)
> but I am very interested in a couple things the new PGP Global
> Directory beta makes possible, which allows a key owner to not only
> remove their own keys from the keyserver,
I don't like that option - I can't see any benefit to the ordinary user who
simply wants to check the signatures on my key. Plus the GD puts masses of
useless signatures on your key too - my key is one of those that will never
go on GD. It's fortunate that GD have implemented the
non-owner-refuse-submission as this is the only way of protecting your keys
from their signature attacks.
> but also to decide whether
> or not their keys are uploaded to the keyserver in the first place.
IMHO, anyone who signs emails to a public mailing list should make their
public key available with the minimum of fuss. This, to me, means putting it
on one of the recommended keyservers, e.g. subkeys.pgp.net
:-))
> These are two things I've been wanting to see for a long time, and
> wouldn't mind if all the keyservers adopted these options.
All keyservers support the option to not upload your key - it's just that once
a key is public, there's no real way of stopping it being submitted by
someone else. Thereagain, if the key IS public, it should be on a public
keyserver - that's my case.
--
Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.neil.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050228/2c046c01/attachment.pgp
From brunij at earthlink.net Mon Feb 28 20:29:10 2005
From: brunij at earthlink.net (Joseph Bruni)
Date: Mon Feb 28 21:04:05 2005
Subject: building gnupg 1.4.0
Message-ID: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net>
When attempting to build gnupg 1.4.0 on os x 10.4 I receive the following compile error:
ttyio.c: In function 'init_ttyfp':
ttyio.c:166: error: 'rl_catch_signals' undeclared (first use in this function)
Is rl_catch_signals part of gnupg or part of the OS?
-Joe
From andriash at telus.net Mon Feb 28 18:45:18 2005
From: andriash at telus.net (Nick Andriash)
Date: Mon Feb 28 21:10:44 2005
Subject: useless test keys and keyservers
In-Reply-To: <42232BA2.9030902@fastmail.us>
References: <20050228041802.80056.qmail@web50909.mail.yahoo.com>
<42232BA2.9030902@fastmail.us>
Message-ID: <20050228104240.425F.ANDRIASH@telus.net>
Hello David Calvarese,
On Monday, February 28 2005 at 07:33 AM PDT, you wrote:
> On a side note, does anyone know of any way to get Thunderbird (And
> presumably other email clients as well) to reply to the list address
> instead of the person writing the email for this list? This seems to be
> the only one I'm having a problem with.
This List is the only one I had a problem with as well, but it was simple to
resolve using Becky because all one has to do is supply the List Address in
the "Reply To" line under Folder Properties. Other Mailers such as The Bat use
Templates, and it too has an easy resolve by creating an address template.
--
~~Nick Andriash~~
Creston, B.C. Canada
From lporter at hdsmith.com Mon Feb 28 21:07:06 2005
From: lporter at hdsmith.com (lporter@hdsmith.com)
Date: Mon Feb 28 21:11:57 2005
Subject: Auto Reply to your message ...
Message-ID: <420AC99A00012278@HDSPRIME.hdsmith.com>
----- The following text is an automated response to your message -----
I am on vacation from February 28 through March 4, returing Monday March 7th.
If it is an EDI emergency or HD Smith techinal support emergency,
please email helpdesk@hdsmith.com.
I will try to check my email periodically.
From swright at physics.adelaide.edu.au Mon Feb 28 21:29:36 2005
From: swright at physics.adelaide.edu.au (Stewart V. Wright)
Date: Mon Feb 28 21:26:18 2005
Subject: building gnupg 1.4.0
In-Reply-To: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net>
References: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net>
Message-ID: <20050228202936.GA3136@anl.gov>
G'day Joseph,
* Joseph Bruni [050228 14:24]:
> Is rl_catch_signals part of gnupg or part of the OS?
Have you heard of a website called Google? www.google.com
Try searching for 'rl_catch_signals'.
The 4th link suggested is a GnuPG related one..........
http://lists.gnupg.org/pipermail/gnupg-users/2004-December/024056.html
Does this fix your problem?
S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20050228/523b1cd6/attachment.pgp
From dshaw at jabberwocky.com Mon Feb 28 21:30:39 2005
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon Feb 28 21:27:16 2005
Subject: building gnupg 1.4.0
In-Reply-To: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net>
References: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net>
Message-ID: <20050228203039.GB14484@jabberwocky.com>
On Mon, Feb 28, 2005 at 12:29:10PM -0700, Joseph Bruni wrote:
> When attempting to build gnupg 1.4.0 on os x 10.4 I receive the following compile error:
>
> ttyio.c: In function 'init_ttyfp':
> ttyio.c:166: error: 'rl_catch_signals' undeclared (first use in this function)
>
> Is rl_catch_signals part of gnupg or part of the OS?
It's part of readline. This is fixed in 1.4.1, but in the meantime,
try building with ./configure --without-readline
David
From cyrus at 80d.org Mon Feb 28 22:40:10 2005
From: cyrus at 80d.org (Cyrus Yunker)
Date: Mon Feb 28 23:29:42 2005
Subject: Stopping Useless Keys
Message-ID: <20050228214010.GF93960@80d.org>
One thing that could be done to minimize the number of useless keys
propagating out onto the keyservers is to track down the authors of
the multitude of "GPG HOWTO" articles out there. They should be asked
to change their articles that instruct new users to immediately upload
their keys as soon as they are created.
Key management cannot usually be handled properly in a simple 2 part
article from a technology web magazine.
Most users should first be informed on how to make choices on how they
are going to use their keys (personal / work or just for encrypting
backups), what lifetime they expect for any given key, how
distribution is handled, what signatures are, etc. Subkeys should be
explained properly.
THEN, and only then, should an article go into key generation
procedures. Users should be encouraged to use manual distribution, by
email or otherwise, at the outset as they get comfortable with gpg and
the like. It is at this time when keyprefs can be properly setup,
signatures from friends can be obtained, testing can be done with
other types of OpenPGP implementations, and their uid list can
stabilize somewhat. Authors should encourage key expiry dates of one
or two years (if they are to be uploaded) for the user to become
comfortable with gpg and ensure that any mistakes will eventually
fall by the wayside (and out of precious keyserver storage). Ironing
out keyprefs, etc. before the key is uploaded will reduce future
storage requirements for the keyservers. (Only the last sig-packet is
displayed but in most cases all previous remain if my thinking is
correct. This includes keeping around old uids, expiry dates, etc.)
Users should also receive an intro on the keyserver system and be
encouraged NOT to upload test keys but to play with them manually on
their own machines or with friends only.
When users determine within one or two years they'd like to continue
to use gpg/pgp, they can upload any new signatures or uid list
changes, keypref URLs, etc. and update their key expiry date to a time
farther in the future. This would encourage people to backup their
keys and generate revocation certificates and file them away rather
than letting them vaporize with the latest disk crash.
This may be difficult to do but I believe a campaign could be started
if anybody would be interested in taking on such a project. Users of
this mailing list and other places could be asked to search the web
for any articles (and author links) that instruct users to immediately
upload their keys after creation. These could be collected,
duplicates removed, and verified. Another distributed or collective
effort could send the authors notice on what "the community" would
like their readers to do along with some prepared text on how the
keyserver operate.
Please excuse my old keys. Too much experimentation on my part has
clogged up the keyservers as well. I've learned a great deal since
then.
Cyrus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050228/0efb0aa4/attachment.pgp